Commit Graph

1139018 Commits

Author SHA1 Message Date
Huacai Chen 366bb35a8e LoongArch: Add suspend (ACPI S3) support
Add suspend (Suspend To RAM, aka ACPI S3) support for LoongArch.

Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2022-12-14 08:41:53 +08:00
Binbin Zhou 27cab43156 LoongArch: Add processing ISA Node in DeviceTree
Similar to commit 6d0068ad15 ("MIPS: Loongson64: Process ISA
Node in DeviceTree"), we process ISA node in DeviceTree for FDT-based
systems.

Previously, we are hardcoding reserved ISA I/O Space in, now we are
processing it I/O via DeviceTree directly. The ranges property of ISA
node is used to determine the size and address of reserved I/O space.

Signed-off-by: Binbin Zhou <zhoubinbin@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2022-12-14 08:41:53 +08:00
Binbin Zhou 88d4d957ed LoongArch: Add FDT booting support from efi system table
Since commit 40cd01a9c324("efi/loongarch: libstub: remove dependency on
flattened DT"), we can parse the FDT from efi system table.

And now, LoongArch is coming to support booting with FDT, so we add the
relevant booting support as well as parameter parsing.

Signed-off-by: Binbin Zhou <zhoubinbin@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2022-12-14 08:41:53 +08:00
Huacai Chen a275a82dcd LoongArch: Use alternative to optimize libraries
Use the alternative to optimize common libraries according whether CPU
has UAL (hardware unaligned access support) feature, including memset(),
memcopy(), memmove(), copy_user() and clear_user().

We have tested UnixBench on a Loongson-3A5000 quad-core machine (1.6GHz):

1, One copy, before patch:

System Benchmarks Index Values               BASELINE       RESULT    INDEX
Dhrystone 2 using register variables         116700.0    9566582.0    819.8
Double-Precision Whetstone                       55.0       2805.3    510.1
Execl Throughput                                 43.0       2120.0    493.0
File Copy 1024 bufsize 2000 maxblocks          3960.0     209833.0    529.9
File Copy 256 bufsize 500 maxblocks            1655.0      89400.0    540.2
File Copy 4096 bufsize 8000 maxblocks          5800.0     320036.0    551.8
Pipe Throughput                               12440.0     340624.0    273.8
Pipe-based Context Switching                   4000.0     109939.1    274.8
Process Creation                                126.0       4728.7    375.3
Shell Scripts (1 concurrent)                     42.4       2223.1    524.3
Shell Scripts (8 concurrent)                      6.0        883.1   1471.9
System Call Overhead                          15000.0     518639.1    345.8
                                                                   ========
System Benchmarks Index Score                                         500.2

2, One copy, after patch:

System Benchmarks Index Values               BASELINE       RESULT    INDEX
Dhrystone 2 using register variables         116700.0    9567674.7    819.9
Double-Precision Whetstone                       55.0       2805.5    510.1
Execl Throughput                                 43.0       2392.7    556.4
File Copy 1024 bufsize 2000 maxblocks          3960.0     417804.0   1055.1
File Copy 256 bufsize 500 maxblocks            1655.0     112909.5    682.2
File Copy 4096 bufsize 8000 maxblocks          5800.0    1255207.4   2164.2
Pipe Throughput                               12440.0     555712.0    446.7
Pipe-based Context Switching                   4000.0      99964.5    249.9
Process Creation                                126.0       5192.5    412.1
Shell Scripts (1 concurrent)                     42.4       2302.4    543.0
Shell Scripts (8 concurrent)                      6.0        919.6   1532.6
System Call Overhead                          15000.0     511159.3    340.8
                                                                   ========
System Benchmarks Index Score                                         640.1

3, Four copies, before patch:

System Benchmarks Index Values               BASELINE       RESULT    INDEX
Dhrystone 2 using register variables         116700.0   38268610.5   3279.2
Double-Precision Whetstone                       55.0      11222.2   2040.4
Execl Throughput                                 43.0       7892.0   1835.3
File Copy 1024 bufsize 2000 maxblocks          3960.0     235149.6    593.8
File Copy 256 bufsize 500 maxblocks            1655.0      74959.6    452.9
File Copy 4096 bufsize 8000 maxblocks          5800.0     545048.5    939.7
Pipe Throughput                               12440.0    1337359.0   1075.0
Pipe-based Context Switching                   4000.0     473663.9   1184.2
Process Creation                                126.0      17491.2   1388.2
Shell Scripts (1 concurrent)                     42.4       6865.7   1619.3
Shell Scripts (8 concurrent)                      6.0       1015.9   1693.1
System Call Overhead                          15000.0    1899535.2   1266.4
                                                                   ========
System Benchmarks Index Score                                        1278.3

4, Four copies, after patch:

System Benchmarks Index Values               BASELINE       RESULT    INDEX
Dhrystone 2 using register variables         116700.0   38272815.5   3279.6
Double-Precision Whetstone                       55.0      11222.8   2040.5
Execl Throughput                                 43.0       8839.2   2055.6
File Copy 1024 bufsize 2000 maxblocks          3960.0     313912.9    792.7
File Copy 256 bufsize 500 maxblocks            1655.0      80976.1    489.3
File Copy 4096 bufsize 8000 maxblocks          5800.0    1176594.3   2028.6
Pipe Throughput                               12440.0    2100941.9   1688.9
Pipe-based Context Switching                   4000.0     476696.4   1191.7
Process Creation                                126.0      18394.7   1459.9
Shell Scripts (1 concurrent)                     42.4       7172.2   1691.6
Shell Scripts (8 concurrent)                      6.0       1058.3   1763.9
System Call Overhead                          15000.0    1874714.7   1249.8
                                                                   ========
System Benchmarks Index Score                                        1488.8

Signed-off-by: Jun Yi <yijun@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2022-12-14 08:36:11 +08:00
Huacai Chen 19e5eb15b0 LoongArch: Add alternative runtime patching mechanism
Introduce the "alternative" mechanism from ARM64 and x86 for LoongArch
to apply runtime patching. The main purpose of this patch is to provide
a framework. In future we can use this mechanism (i.e., the ALTERNATIVE
and ALTERNATIVE_2 macros) to optimize hotspot functions according to cpu
features.

Signed-off-by: Jun Yi <yijun@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2022-12-14 08:36:11 +08:00
Huacai Chen 61a6fccc0b LoongArch: Add unaligned access support
Loongson-2 series (Loongson-2K500, Loongson-2K1000) don't support
unaligned access in hardware, while Loongson-3 series (Loongson-3A5000,
Loongson-3C5000) are configurable whether support unaligned access in
hardware. This patch add unaligned access emulation for those LoongArch
processors without hardware support.

Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2022-12-14 08:36:11 +08:00
Youling Tang dbcd7f5faf LoongArch: BPF: Add BPF exception tables
Inspired by commit 800834285361("bpf, arm64: Add BPF exception tables"),
do similar to LoongArch to add BPF exception tables.

When a tracing BPF program attempts to read memory without using the
bpf_probe_read() helper, the verifier marks the load instruction with
the BPF_PROBE_MEM flag. Since the LoongArch JIT does not currently
recognize this flag it falls back to the interpreter.

Add support for BPF_PROBE_MEM, by appending an exception table to the
BPF program. If the load instruction causes a data abort, the fixup
infrastructure finds the exception table and fixes up the fault, by
clearing the destination register and jumping over the faulting
instruction.

To keep the compact exception table entry format, inspect the pc in
fixup_exception(). A more generic solution would add a "handler" field
to the table entry, like on x86, s390 and arm64, etc.

Signed-off-by: Youling Tang <tangyouling@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2022-12-14 08:36:11 +08:00
Youling Tang 912bcfaf36 LoongArch: Remove the .fixup section usage
Use the `.L_xxx` label to improve fixup code and then remove the .fixup
section usage.

Signed-off-by: Youling Tang <tangyouling@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2022-12-14 08:36:11 +08:00
Youling Tang 672999cfae LoongArch: extable: Add a dedicated uaccess handler
Inspired by commit 2e77a62cb3a6("arm64: extable: add a dedicated uaccess
handler"), do similar to LoongArch to add a dedicated uaccess exception
handler to update registers in exception context and subsequently return
back into the function which faulted, so we remove the need for fixups
specialized to each faulting instruction.

Add gpr-num.h here because we need to map the same GPR names to integer
constants, so that we can use this to build meta-data for the exception
fixups.

The compiler treats gpr 0 as zero rather than $r0, so set it separately
to .L__gpr_num_zero, otherwise the following assembly error will occurs:

{standard input}: Assembler messages:
{standard input}:1074: Error: invalid operands (*UND* and *ABS* sections) for `<<'
{standard input}:1160: Error: invalid operands (*UND* and *ABS* sections) for `<<'
make[1]: *** [scripts/Makefile.build:249: fs/fcntl.o] Error 1

Signed-off-by: Youling Tang <tangyouling@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2022-12-14 08:36:11 +08:00
Youling Tang 26bc824412 LoongArch: extable: Add `type` and `data` fields
This is a LoongArch port of commit d6e2cc5647 ("arm64: extable: add
`type` and `data` fields").

Subsequent patches will add specialized handlers for fixups, in addition
to the simple PC fixup we have today. In preparation, this patch adds a
new `type` field to struct exception_table_entry, and uses this to
distinguish the fixup and other cases. A `data` field is also added so
that subsequent patches can associate data specific to each exception
site (e.g. register numbers).

Handlers are named ex_handler_*() for consistency, following the example
of x86. At the same time, get_ex_fixup() is split out into a helper so
that it can be used by other ex_handler_*() functions in the subsequent
patches.

Signed-off-by: Youling Tang <tangyouling@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2022-12-14 08:36:11 +08:00
Youling Tang 3d36f4298b LoongArch: Switch to relative exception tables
Similar to other architectures such as arm64, x86, riscv and so on, use
offsets relative to the exception table entry values rather than their
absolute addresses for both the exception location and the fixup.

However, LoongArch label difference because it will actually produce two
relocations, a pair of R_LARCH_ADD32 and R_LARCH_SUB32. Take simple code
below for example:

$ cat test_ex_table.S
.section .text
1:
        nop
.section __ex_table,"a"
        .balign 4
        .long (1b - .)
.previous

$ loongarch64-unknown-linux-gnu-gcc -c test_ex_table.S
$ loongarch64-unknown-linux-gnu-readelf -Wr test_ex_table.o

Relocation section '.rela__ex_table' at offset 0x100 contains 2 entries:
    Offset            Info             Type         Symbol's Value   Symbol's Name + Addend
0000000000000000 0000000600000032 R_LARCH_ADD32    0000000000000000  .L1^B1 + 0
0000000000000000 0000000500000037 R_LARCH_SUB32    0000000000000000  L0^A + 0

The modpost will complain the R_LARCH_SUB32 relocation, so we need to
patch modpost.c to skip this relocation for .rela__ex_table section.

Signed-off-by: Youling Tang <tangyouling@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2022-12-14 08:36:11 +08:00
Youling Tang 508f28c671 LoongArch: Consolidate __ex_table construction
Consolidate all the __ex_table constuction code with a _ASM_EXTABLE or
_asm_extable helper.

There should be no functional change as a result of this patch.

Signed-off-by: Youling Tang <tangyouling@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2022-12-14 08:36:11 +08:00
Huacai Chen 1a34e7f2fc ACPI updates for 6.2-rc1
- Update the ACPICA code in the kernel to the 20221020 upstream
    version and fix a couple of issues in it:
 
    * Make acpi_ex_load_op() match upstream implementation (Rafael
      Wysocki).
    * Add support for loong_arch-specific APICs in MADT (Huacai Chen).
    * Add support for fixed PCIe wake event (Huacai Chen).
    * Add EBDA pointer sanity checks (Vit Kabele).
    * Avoid accessing VGA memory when EBDA < 1KiB (Vit Kabele).
    * Add CCEL table support to both compiler/disassembler (Kuppuswamy
      Sathyanarayanan).
    * Add a couple of new UUIDs to the known UUID list (Bob Moore).
    * Add support for FFH Opregion special context data (Sudeep Holla).
    * Improve warning message for "invalid ACPI name" (Bob Moore).
    * Add support for CXL 3.0 structures (CXIMS & RDPAS) in the CEDT
      table (Alison Schofield).
    * Prepare IORT support for revision E.e (Robin Murphy).
    * Finish support for the CDAT table (Bob Moore).
    * Fix error code path in acpi_ds_call_control_method() (Rafael
      Wysocki).
    * Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() (Li
      Zetao).
    * Update the version of the ACPICA code in the kernel (Bob Moore).
 
  - Use ZERO_PAGE(0) instead of empty_zero_page in the ACPI device
    enumeration code (Giulio Benetti).
 
  - Change the return type of the ACPI driver remove callback to void and
    update its users accordingly (Dawei Li).
 
  - Add general support for FFH address space type and implement the low-
    level part of it for ARM64 (Sudeep Holla).
 
  - Fix stale comments in the ACPI tables parsing code and make it print
    more messages related to MADT (Hanjun Guo, Huacai Chen).
 
  - Replace invocations of generic library functions with more kernel-
    specific counterparts in the ACPI sysfs interface (Christophe JAILLET,
    Xu Panda).
 
  - Print full name paths of ACPI power resource objects during
    enumeration (Kane Chen).
 
  - Eliminate a compiler warning regarding a missing function prototype
    in the ACPI power management code (Sudeep Holla).
 
  - Fix and clean up the ACPI processor driver (Rafael Wysocki, Li Zhong,
    Colin Ian King, Sudeep Holla).
 
  - Add quirk for the HP Pavilion Gaming 15-cx0041ur to the ACPI EC
    driver (Mia Kanashi).
 
  - Add some mew ACPI backlight handling quirks and update some existing
    ones (Hans de Goede).
 
  - Make the ACPI backlight driver prefer the native backlight control
    over vendor backlight control when possible (Hans de Goede).
 
  - Drop unsetting ACPI APEI driver data on remove (Uwe Kleine-König).
 
  - Use xchg_release() instead of cmpxchg() for updating new GHES cache
    slots (Ard Biesheuvel).
 
  - Clean up the ACPI APEI code (Sudeep Holla, Christophe JAILLET, Jay Lu).
 
  - Add new I2C device enumeration quirks for Medion Lifetab S10346 and
    Lenovo Yoga Tab 3 Pro (YT3-X90F) (Hans de Goede).
 
  - Make the ACPI battery driver notify user space about adding new
    battery hooks and removing the existing ones (Armin Wolf).
 
  - Modify the pfr_update and pfr_telemetry drivers to use ACPI_FREE()
    for freeing acpi_object structures to help diagnostics (Wang ShaoBo).
 
  - Make the ACPI fan driver use sysfs_emit_at() in its sysfs interface
    code (ye xingchen).
 
  - Fix the _FIF package extraction failure handling in the ACPI fan
    driver (Hanjun Guo).
 
  - Fix the PCC mailbox handling error code path (Huisong Li).
 
  - Avoid using PCC Opregions if there is no platform interrupt allocated
    for this purpose (Huisong Li).
 
  - Use sysfs_emit() instead of scnprintf() in the ACPI PAD driver and
    CPPC library (ye xingchen).
 
  - Fix some kernel-doc issues in the ACPI GSI processing code (Xiongfeng
    Wang).
 
  - Fix name memory leak in pnp_alloc_dev() (Yang Yingliang).
 
  - Do not disable PNP devices on suspend when they cannot be re-enabled
    on resume (Hans de Goede).
 
  - Clean up the ACPI thermal driver a bit (Rafael Wysocki).
 -----BEGIN PGP SIGNATURE-----
 
 iQJGBAABCAAwFiEE4fcc61cGeeHD/fCwgsRv/nhiVHEFAmOXV10SHHJqd0Byand5
 c29ja2kubmV0AAoJEILEb/54YlRxuOwP/2zew6val2Jf7I/Yxf1iQLlRyGmhFnaH
 wpltJvBjlHjAUKnPQ/kLYK9fjuUY5HVgjOE03WpwhFUpmhftYTrSkhoVkJ1Mw9Zl
 RNOAEgCG484ThHiTIVp/dMPxrtfuqpdbamhWX3Q51IfXjGW8Vc/lDxIa3k/JQxyq
 ko8GFPCoebJrSCfuwaAf2+xSQaf6dq4jpL/rlIk+nYMMB9mQmXhNEhc+l97NaCe8
 MyCIGynyNbhGsIlwdHRvTp04EIe8h0Z1+Dyns7g/TrzHj3Aezy7QVZbn8sKdZWa1
 W/Ck9QST5tfpDWyr+hUXxUJjEn4Yy+GXjM2xON0EMx5q+JD9XsOpwWOVwTR7CS5s
 FwEd6I89SC8OZM86AgMtnGxygjpK24R/kGzHjhG15IQCsypc8Rvzoxl0L0YVoon/
 UTkE57GzNWVzu0pY/oXJc2aT7lVqFXMFZ6ft/zHnBRnQmrcIi+xgDO5ni5KxctFN
 TVFwbAMCuwVx6IOcVQCZM2g4aJw426KpUn19fKnXvPwR5UIufBaCzSKWMiYrtdXr
 O5BM8ElYuyKCWGYEE0GSMjZygyDpyY6ENLH7s7P1IEmFyigBzaaGBbKm108JJq4V
 eCWJYTAx8pAptsU/vfuMvEQ1ErfhZ3TTokA5Lv0uPf53VcAnWDb7EAbW6ZGMwFSI
 IaV6cv6ILoqO
 =GVzp
 -----END PGP SIGNATURE-----
mergetag object 6132a490f9
 type commit
 tag irq-core-2022-12-10
 tagger Thomas Gleixner <tglx@linutronix.de> 1670689576 +0100
 
 Updates for the interrupt core and driver subsystem:
 
  - Core:
 
    The bulk is the rework of the MSI subsystem to support per device MSI
    interrupt domains. This solves conceptual problems of the current
    PCI/MSI design which are in the way of providing support for PCI/MSI[-X]
    and the upcoming PCI/IMS mechanism on the same device.
 
    IMS (Interrupt Message Store] is a new specification which allows device
    manufactures to provide implementation defined storage for MSI messages
    contrary to the uniform and specification defined storage mechanisms for
    PCI/MSI and PCI/MSI-X. IMS not only allows to overcome the size limitations
    of the MSI-X table, but also gives the device manufacturer the freedom to
    store the message in arbitrary places, even in host memory which is shared
    with the device.
 
    There have been several attempts to glue this into the current MSI code,
    but after lengthy discussions it turned out that there is a fundamental
    design problem in the current PCI/MSI-X implementation. This needs some
    historical background.
 
    When PCI/MSI[-X] support was added around 2003, interrupt management was
    completely different from what we have today in the actively developed
    architectures. Interrupt management was completely architecture specific
    and while there were attempts to create common infrastructure the
    commonalities were rudimentary and just providing shared data structures and
    interfaces so that drivers could be written in an architecture agnostic
    way.
 
    The initial PCI/MSI[-X] support obviously plugged into this model which
    resulted in some basic shared infrastructure in the PCI core code for
    setting up MSI descriptors, which are a pure software construct for holding
    data relevant for a particular MSI interrupt, but the actual association to
    Linux interrupts was completely architecture specific. This model is still
    supported today to keep museum architectures and notorious stranglers
    alive.
 
    In 2013 Intel tried to add support for hot-pluggable IO/APICs to the kernel,
    which was creating yet another architecture specific mechanism and resulted
    in an unholy mess on top of the existing horrors of x86 interrupt handling.
    The x86 interrupt management code was already an incomprehensible maze of
    indirections between the CPU vector management, interrupt remapping and the
    actual IO/APIC and PCI/MSI[-X] implementation.
 
    At roughly the same time ARM struggled with the ever growing SoC specific
    extensions which were glued on top of the architected GIC interrupt
    controller.
 
    This resulted in a fundamental redesign of interrupt management and
    provided the today prevailing concept of hierarchical interrupt
    domains. This allowed to disentangle the interactions between x86 vector
    domain and interrupt remapping and also allowed ARM to handle the zoo of
    SoC specific interrupt components in a sane way.
 
    The concept of hierarchical interrupt domains aims to encapsulate the
    functionality of particular IP blocks which are involved in interrupt
    delivery so that they become extensible and pluggable. The X86
    encapsulation looks like this:
 
                                             |--- device 1
      [Vector]---[Remapping]---[PCI/MSI]--|...
                                             |--- device N
 
    where the remapping domain is an optional component and in case that it is
    not available the PCI/MSI[-X] domains have the vector domain as their
    parent. This reduced the required interaction between the domains pretty
    much to the initialization phase where it is obviously required to
    establish the proper parent relation ship in the components of the
    hierarchy.
 
    While in most cases the model is strictly representing the chain of IP
    blocks and abstracting them so they can be plugged together to form a
    hierarchy, the design stopped short on PCI/MSI[-X]. Looking at the hardware
    it's clear that the actual PCI/MSI[-X] interrupt controller is not a global
    entity, but strict a per PCI device entity.
 
    Here we took a short cut on the hierarchical model and went for the easy
    solution of providing "global" PCI/MSI domains which was possible because
    the PCI/MSI[-X] handling is uniform across the devices. This also allowed
    to keep the existing PCI/MSI[-X] infrastructure mostly unchanged which in
    turn made it simple to keep the existing architecture specific management
    alive.
 
    A similar problem was created in the ARM world with support for IP block
    specific message storage. Instead of going all the way to stack a IP block
    specific domain on top of the generic MSI domain this ended in a construct
    which provides a "global" platform MSI domain which allows overriding the
    irq_write_msi_msg() callback per allocation.
 
    In course of the lengthy discussions we identified other abuse of the MSI
    infrastructure in wireless drivers, NTB etc. where support for
    implementation specific message storage was just mindlessly glued into the
    existing infrastructure. Some of this just works by chance on particular
    platforms but will fail in hard to diagnose ways when the driver is used
    on platforms where the underlying MSI interrupt management code does not
    expect the creative abuse.
 
    Another shortcoming of today's PCI/MSI-X support is the inability to
    allocate or free individual vectors after the initial enablement of
    MSI-X. This results in an works by chance implementation of VFIO (PCI
    pass-through) where interrupts on the host side are not set up upfront to
    avoid resource exhaustion. They are expanded at run-time when the guest
    actually tries to use them. The way how this is implemented is that the
    host disables MSI-X and then re-enables it with a larger number of
    vectors again. That works by chance because most device drivers set up
    all interrupts before the device actually will utilize them. But that's
    not universally true because some drivers allocate a large enough number
    of vectors but do not utilize them until it's actually required,
    e.g. for acceleration support. But at that point other interrupts of the
    device might be in active use and the MSI-X disable/enable dance can
    just result in losing interrupts and therefore hard to diagnose subtle
    problems.
 
    Last but not least the "global" PCI/MSI-X domain approach prevents to
    utilize PCI/MSI[-X] and PCI/IMS on the same device due to the fact that IMS
    is not longer providing a uniform storage and configuration model.
 
    The solution to this is to implement the missing step and switch from
    global PCI/MSI domains to per device PCI/MSI domains. The resulting
    hierarchy then looks like this:
 
                               |--- [PCI/MSI] device 1
      [Vector]---[Remapping]---|...
                               |--- [PCI/MSI] device N
 
    which in turn allows to provide support for multiple domains per device:
 
                               |--- [PCI/MSI] device 1
                               |--- [PCI/IMS] device 1
      [Vector]---[Remapping]---|...
                               |--- [PCI/MSI] device N
                               |--- [PCI/IMS] device N
 
    This work converts the MSI and PCI/MSI core and the x86 interrupt
    domains to the new model, provides new interfaces for post-enable
    allocation/free of MSI-X interrupts and the base framework for PCI/IMS.
    PCI/IMS has been verified with the work in progress IDXD driver.
 
    There is work in progress to convert ARM over which will replace the
    platform MSI train-wreck. The cleanup of VFIO, NTB and other creative
    "solutions" are in the works as well.
 
  - Drivers:
 
    - Updates for the LoongArch interrupt chip drivers
 
    - Support for MTK CIRQv2
 
    - The usual small fixes and updates all over the place
 -----BEGIN PGP SIGNATURE-----
 
 iQJHBAABCgAxFiEEQp8+kY+LLUocC4bMphj1TA10mKEFAmOUsygTHHRnbHhAbGlu
 dXRyb25peC5kZQAKCRCmGPVMDXSYoYXiD/40tXKzCzf0qFIqUlZLia1N3RRrwrNC
 DVTixuLtR9MrjwE+jWLQILa85SHInV8syXHSd35SzhsGDxkURFGi+HBgVWmysODf
 br9VSh3Gi+kt7iXtIwAg8WNWviGNmS3kPksxCko54F0YnJhMY5r5bhQVUBQkwFG2
 wES1C9Uzd4pdV2bl24Z+WKL85cSmZ+pHunyKw1n401lBABXnTF9c4f13zC14jd+y
 wDxNrmOxeL3mEH4Pg6VyrDuTOURSf3TjJjeEq3EYqvUo0FyLt9I/cKX0AELcZQX7
 fkRjrQQAvXNj39RJfeSkojDfllEPUHp7XSluhdBu5aIovSamdYGCDnuEoZ+l4MJ+
 CojIErp3Dwj/uSaf5c7C3OaDAqH2CpOFWIcrUebShJE60hVKLEpUwd6W8juplaoT
 gxyXRb1Y+BeJvO8VhMN4i7f3232+sj8wuj+HTRTTbqMhkElnin94tAx8rgwR1sgR
 BiOGMJi4K2Y8s9Rqqp0Dvs01CW4guIYvSR4YY+WDbbi1xgiev89OYs6zZTJCJe4Y
 NUwwpqYSyP1brmtdDdBOZLqegjQm+TwUb6oOaasFem4vT1swgawgLcDnPOx45bk5
 /FWt3EmnZxMz99x9jdDn1+BCqAZsKyEbEY1avvhPVMTwoVIuSX2ceTBMLseGq+jM
 03JfvdxnueM3gw==
 =9erA
 -----END PGP SIGNATURE-----

Merge tags 'acpi-6.2-rc1' and 'irq-core-2022-12-10' into loongarch-next

LoongArch architecture changes for 6.2 depend on the acpi and irqchip
changes to work, so merge them to create a base.
2022-12-13 19:19:41 +08:00
Rafael J. Wysocki bee74dcbd3 Merge branches 'acpi-fan', 'acpi-pcc', 'acpi-misc' and 'pnp'
Merge ACPI fan driver fixes, ACPI PCC driver fixes, miscellaneous ACPI
cleanups and PNP updates for 6.2-rc1:

 - Make the ACPI fan driver use sysfs_emit_at() in its sysfs interface
   code (ye xingchen).

 - Fix the _FIF package extraction failure handling in the ACPI fan
   driver (Hanjun Guo).

 - Fix the PCC mailbox handling error code path (Huisong Li).

 - Avoid using PCC Opregions if there is no platform interrupt allocated
   for this purpose (Huisong Li).

 - Use sysfs_emit() instead of scnprintf() in the ACPI PAD driver and
   CPPC library (ye xingchen).

 - Fix some kernel-doc issues in the ACPI GSI processing code (Xiongfeng
   Wang).

 - Fix name memory leak in pnp_alloc_dev() (Yang Yingliang).

 - Do not disable PNP devices on suspend when they cannot be re-enabled
   on resume (Hans de Goede).

* acpi-fan:
  ACPI: fan: Convert to use sysfs_emit_at() API
  ACPI: fan: Bail out if extract package failed

* acpi-pcc:
  mailbox: pcc: Reset pcc_chan_count to zero in case of PCC probe failure
  ACPI: PCC: Setup PCC Opregion handler only if platform interrupt is available

* acpi-misc:
  ACPI: use sysfs_emit() instead of scnprintf()
  ACPI: irq: Fix some kernel-doc issues

* pnp:
  PNP: Do not disable devices on suspend when they cannot be re-enabled on resume
  PNP: fix name memory leak in pnp_alloc_dev()
2022-12-12 15:24:15 +01:00
Rafael J. Wysocki 39f26d1012 Merge branches 'acpi-apei', 'acpi-x86', 'acpi-battery' and 'acpi-pfrut'
Make ACPI APEI updates, x86-specific ACPI updates, ACPI battery driver
fix and ACPI PFRU/T driver fixes for 6.2-rc1:

 - Drop unsetting ACPI APEI driver data on remove (Uwe Kleine-König).

 - Use xchg_release() instead of cmpxchg() for updating new GHES cache
   slots (Ard Biesheuvel).

 - Clean up the ACPI APEI code (Sudeep Holla, Christophe JAILLET, Jay Lu).

 - Add new I2C device enumeration quirks for Medion Lifetab S10346 and
   Lenovo Yoga Tab 3 Pro (YT3-X90F) (Hans de Goede).

 - Make the ACPI battery driver notify user space about adding new
   battery hooks and removing the existing ones (Armin Wolf).

 - Modify the pfr_update and pfr_telemetry drivers to use ACPI_FREE()
   for freeing acpi_object structures to help diagnostics (Wang ShaoBo).

* acpi-apei:
  ACPI: APEI: EINJ: Refactor available_error_type_show()
  ACPI: APEI: EINJ: Fix formatting errors
  ACPI: APEI: Remove a useless include
  ACPI: APEI: Silence missing prototype warnings
  apei/ghes: Use xchg_release() for updating new cache slot instead of cmpxchg()
  ACPI: APEI: Drop unsetting driver data on remove

* acpi-x86:
  ACPI: x86: Add skip i2c clients quirk for Medion Lifetab S10346
  ACPI: x86: Add skip i2c clients quirk for Lenovo Yoga Tab 3 Pro (YT3-X90F)

* acpi-battery:
  ACPI: battery: Call power_supply_changed() when adding hooks

* acpi-pfrut:
  ACPI: pfr_update: use ACPI_FREE() to free acpi_object
  ACPI: pfr_telemetry: use ACPI_FREE() to free acpi_object
2022-12-12 15:13:52 +01:00
Rafael J. Wysocki 6f1581810b Merge branches 'acpi-pm', 'acpi-processor', 'acpi-ec' and 'acpi-video'
Make ACPI power management changes, ACPI processor driver updates, ACPI
EC driver quirk and ACPI backlight driver updates for 6.2-rc1:

 - Print full name paths of ACPI power resources objects during
   enumeration (Kane Chen).

 - Eliminate a compiler warning regarding a missing function prototype
   in the ACPI power management code (Sudeep Holla).

 - Fix and clean up the ACPI processor driver (Rafael Wysocki, Li Zhong,
   Colin Ian King, Sudeep Holla).

 - Add quirk for the HP Pavilion Gaming 15-cx0041ur to the ACPI EC
   driver (Mia Kanashi).

 - Add some mew ACPI backlight handling quirks and update some existing
   ones (Hans de Goede).

 - Make the ACPI backlight driver prefer the native backlight control
   over vendor backlight control when possible (Hans de Goede).

* acpi-pm:
  ACPI: PM: Silence missing prototype warning
  ACPI: PM: Print full name path while adding power resource

* acpi-processor:
  ACPI: processor: perflib: Adjust acpi_processor_notify_smm() return value
  ACPI: processor: perflib: Rearrange acpi_processor_notify_smm()
  ACPI: processor: perflib: Rearrange unregistration routine
  ACPI: processor: perflib: Drop redundant parentheses
  ACPI: processor: perflib: Adjust white space
  ACPI: processor: idle: Drop unnecessary statements and parens
  ACPI: processor: Silence missing prototype warnings
  ACPI: processor_idle: Silence missing prototype warnings
  ACPI: processor: throttling: remove variable count
  ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value

* acpi-ec:
  ACPI: EC: Add quirk for the HP Pavilion Gaming 15-cx0041ur

* acpi-video:
  ACPI: video: Prefer native over vendor
  ACPI: video: Simplify __acpi_video_get_backlight_type()
  ACPI: video: Add force_native quirk for Sony Vaio VPCY11S1E
  ACPI: video: Add force_vendor quirk for Sony Vaio PCG-FRV35
  ACPI: video: Change Sony Vaio VPCEH3U1E quirk to force_native
  ACPI: video: Change GIGABYTE GB-BXBT-2807 quirk to force_none
  ACPI: video: Add a few bugtracker links to DMI quirks
2022-12-12 15:05:30 +01:00
Rafael J. Wysocki 45494d77f2 Merge branches 'acpi-scan', 'acpi-bus', 'acpi-tables' and 'acpi-sysfs'
Merge ACPI changes related to device enumeration, device object
managenet, operation region handling, table parsing and sysfs
interface:

 - Use ZERO_PAGE(0) instead of empty_zero_page in the ACPI device
   enumeration code (Giulio Benetti).

 - Change the return type of the ACPI driver remove callback to void and
   update its users accordingly (Dawei Li).

 - Add general support for FFH address space type and implement the low-
   level part of it for ARM64 (Sudeep Holla).

 - Fix stale comments in the ACPI tables parsing code and make it print
   more messages related to MADT (Hanjun Guo, Huacai Chen).

 - Replace invocations of generic library functions with more kernel-
   specific counterparts in the ACPI sysfs interface (Christophe JAILLET,
   Xu Panda).

* acpi-scan:
  ACPI: scan: substitute empty_zero_page with helper ZERO_PAGE(0)

* acpi-bus:
  ACPI: FFH: Silence missing prototype warnings
  ACPI: make remove callback of ACPI driver void
  ACPI: bus: Fix the _OSC capability check for FFH OpRegion
  arm64: Add architecture specific ACPI FFH Opregion callbacks
  ACPI: Implement a generic FFH Opregion handler

* acpi-tables:
  ACPI: tables: Fix the stale comments for acpi_locate_initial_tables()
  ACPI: tables: Print CORE_PIC information when MADT is parsed

* acpi-sysfs:
  ACPI: sysfs: use sysfs_emit() to instead of scnprintf()
  ACPI: sysfs: Use kstrtobool() instead of strtobool()
2022-12-12 14:55:44 +01:00
Rafael J. Wysocki 888bc86e7c Merge branch 'acpica'
Merge ACPICA changes, including bug fixes and cleanups as well as support
for some recently defined data structures, for 6.2-rc1:

 - Make acpi_ex_load_op() match upstream implementation (Rafael Wysocki).
 - Add support for loong_arch-specific APICs in MADT (Huacai Chen).
 - Add support for fixed PCIe wake event (Huacai Chen).
 - Add EBDA pointer sanity checks (Vit Kabele).
 - Avoid accessing VGA memory when EBDA < 1KiB (Vit Kabele).
 - Add CCEL table support to both compiler/disassembler (Kuppuswamy
   Sathyanarayanan).
 - Add a couple of new UUIDs to the known UUID list (Bob Moore).
 - Add support for FFH Opregion special context data (Sudeep Holla).
 - Improve warning message for "invalid ACPI name" (Bob Moore).
 - Add support for CXL 3.0 structures (CXIMS & RDPAS) in the CEDT table
   (Alison Schofield).
 - Prepare IORT support for revision E.e (Robin Murphy).
 - Finish support for the CDAT table (Bob Moore).
 - Fix error code path in acpi_ds_call_control_method() (Rafael Wysocki).
 - Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() (Li Zetao).
 - Update the version of the ACPICA code in the kernel (Bob Moore).

* acpica:
  ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
  ACPICA: Fix error code path in acpi_ds_call_control_method()
  ACPICA: Update version to 20221020
  ACPICA: Add utcksum.o to the acpidump Makefile
  Revert "LoongArch: Provisionally add ACPICA data structures"
  ACPICA: Finish support for the CDAT table
  ACPICA: IORT: Update for revision E.e
  ACPICA: Add CXL 3.0 structures (CXIMS & RDPAS) to the CEDT table
  ACPICA: Improve warning message for "invalid ACPI name"
  ACPICA: Add support for FFH Opregion special context data
  ACPICA: Add a couple of new UUIDs to the known UUID list
  ACPICA: iASL: Add CCEL table to both compiler/disassembler
  ACPICA: Do not touch VGA memory when EBDA < 1ki_b
  ACPICA: Check that EBDA pointer is in valid memory
  ACPICA: Events: Support fixed PCIe wake event
  ACPICA: MADT: Add loong_arch-specific APICs support
  ACPICA: Make acpi_ex_load_op() match upstream
2022-12-12 14:41:48 +01:00
Linus Torvalds 830b3c68c1 Linux 6.1 2022-12-11 14:15:18 -08:00
Linus Torvalds d92b86f672 IOMMU Fix for Linux v6.1-rc8
Including:
 
 	- Fix device mask to catch all affected devices in the recently added
 	  quirk for QAT devices in the Intel VT-d driver.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEr9jSbILcajRFYWYyK/BELZcBGuMFAmOV37AACgkQK/BELZcB
 GuMmgA/9Ec7btTVq/o6Hk3Hf/F5qSprOptTmKxVli7ta2ReVbjcZEi0g8hPiDUGU
 Uog4Abl5ndP/JixkKBRY3m5ypL2Y8Ip/KEjDF9uEHPTYK22JklMa9OZAOby+eu+h
 cPon0RKVUfEmrtxoCpFc1w/38V5LJq9QoDgLWvyoL9HBjdrX/DQ4WU4EVVAbW1DQ
 XqbyCeksLUJCg+it3593KXKbWdT8lVkiB2lk8R5Q8oPzGeai4g+gy6waXDw+yYty
 8jhC2TPNTHpgT0GMONr9hswN7wOjlboGlifgo23iCuDdvtdwklcIBFn8H9IGhqGH
 dPJmiN6+r9YKQ2IrQyXXjx5ZrxXT2VGxxIangbuImfhfdxKnr9smHrjGL65TIcbl
 eGXPt38gDoMPaMXqMMHia0DFZZPjW8yrqFRclDrUjBM1Kd1D5k/UKidHMfRuGFFj
 WrekHmcsAeoom1TtR763BpJGfRqemWa/Y/kFp0OivYqeLa0BjdpqiKlC4hyTraAa
 fCSIr39XsX0oeBDvkIPkfFrbp/u1no+xIj2qlb2YPwWQL4E0HUstmK9ahJez4hyq
 tMxf6Mu5om0EZ/mWLSEfNTcaCvFmTUXk2cwLxzyXSVK8hqKAbHj3D2b+bPEgX9Qe
 izk8pY5+oqBm2OkOTfgFDuJ/ydL0WmHhqH51NlqRvsFMmSB2Y1Q=
 =EMo5
 -----END PGP SIGNATURE-----

Merge tag 'iommu-fix-v6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu

Pull iommu fix from Joerg Roedel:

 - Fix device mask to catch all affected devices in the recently added
   quirk for QAT devices in the Intel VT-d driver.

* tag 'iommu-fix-v6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
  iommu/vt-d: Fix buggy QAT device mask
2022-12-11 09:49:39 -08:00
Linus Torvalds 4cee37b3a4 9 hotfixes. 6 for MM, 3 for other areas. Four of these patches address
post-6.0 issues.
 -----BEGIN PGP SIGNATURE-----
 
 iHUEABYKAB0WIQTTMBEPP41GrTpTJgfdBJ7gKXxAjgUCY5Ur2AAKCRDdBJ7gKXxA
 jsGmAQDWSq6z9fVgk30XpMr/X7t5c6NTPw5GocVpdwG8iqch3gEAjEs5/Kcd/mx4
 d1dLaJFu1u3syessp8nJrNr1HANIog8=
 =L8zu
 -----END PGP SIGNATURE-----

Merge tag 'mm-hotfixes-stable-2022-12-10-1' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

Pull misc fixes from Andrew Morton:
 "Nine hotfixes.

  Six for MM, three for other areas. Four of these patches address
  post-6.0 issues"

* tag 'mm-hotfixes-stable-2022-12-10-1' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:
  memcg: fix possible use-after-free in memcg_write_event_control()
  MAINTAINERS: update Muchun Song's email
  mm/gup: fix gup_pud_range() for dax
  mmap: fix do_brk_flags() modifying obviously incorrect VMAs
  mm/swap: fix SWP_PFN_BITS with CONFIG_PHYS_ADDR_T_64BIT on 32bit
  tmpfs: fix data loss from failed fallocate
  kselftests: cgroup: update kmem test precision tolerance
  mm: do not BUG_ON missing brk mapping, because userspace can unmap it
  mailmap: update Matti Vaittinen's email address
2022-12-10 17:10:52 -08:00
Linus Torvalds 296a7b7eb7 ARM fixes for 6.1
One further ARM fix for 6.1 from Wang Kefeng, fixing up the handling
 for kfence faults.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEuNNh8scc2k/wOAE+9OeQG+StrGQFAmOUtTQACgkQ9OeQG+St
 rGSo7RAAigvanMYnpBUeyncAkWTUuym4N+ghlVRsmBtKZDlPTajwIj27LEKIgdAf
 yKBvMWgeN/+1K4XwEEon7n1OXfLmFfWiMoMhUj+R9Us32wTsnPzj922hPkuEp3s+
 MCQP3McP+tfwdbQiMUwtGfEjtIzoCDQ5fh3XoHqW5RK/mHpvf0W+Xniw58RcrFjd
 rnbMUqCwo+KTfIddUkN2+bVLoxgLgAmTqJ4hzAtnEjxA4zCCxujk4KoVpk4Ov7FF
 ovsvQeA/zuwMKf7cT/FG8xNSsGZKuo+LhAv8KsB1LmV9nAh71Mq/LHgc2dZ0KKsO
 XGMuWeEqxr3luUEXi84J9AGLTtROKGdsraYcLxCeyOSt5UWirCuLbPTxltEXscTQ
 ADF11j/FwVzUnJxtRm8mwWM8SgAWbTcenZSRRuN+tDSoCmW+tjnXlgoG9Fu3WFXc
 T7luJOxAcu8P7wvejhsVliY3dS/6Sywrnrn84Kp7ayJcNZriMssMLooPwoib9Tw/
 9zDPrUnoka54dhr/etFKtybvRhTr0i7HO1OAVlAUSNLT5K2ZN5ER2s87tRREgq7Q
 98oKH7+3QuRRO/302VVGtnUqvdelJEXeymTlDUpxNhKAeJN0Z0OFHhsUVXmlOqWc
 21e2ge8FFoOIL/fJMPfrFq+qpOB5M2SlN0/4W62kNUzdRrI9WN4=
 =PqxP
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm

Pull ARM fix from Russell King:
 "One further ARM fix for 6.1 from Wang Kefeng, fixing up the handling
  for kfence faults"

* tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm:
  ARM: 9278/1: kfence: only handle translation faults
2022-12-10 10:14:52 -08:00
Tejun Heo 4a7ba45b1a memcg: fix possible use-after-free in memcg_write_event_control()
memcg_write_event_control() accesses the dentry->d_name of the specified
control fd to route the write call.  As a cgroup interface file can't be
renamed, it's safe to access d_name as long as the specified file is a
regular cgroup file.  Also, as these cgroup interface files can't be
removed before the directory, it's safe to access the parent too.

Prior to 347c4a8747 ("memcg: remove cgroup_event->cft"), there was a
call to __file_cft() which verified that the specified file is a regular
cgroupfs file before further accesses.  The cftype pointer returned from
__file_cft() was no longer necessary and the commit inadvertently dropped
the file type check with it allowing any file to slip through.  With the
invarients broken, the d_name and parent accesses can now race against
renames and removals of arbitrary files and cause use-after-free's.

Fix the bug by resurrecting the file type check in __file_cft().  Now that
cgroupfs is implemented through kernfs, checking the file operations needs
to go through a layer of indirection.  Instead, let's check the superblock
and dentry type.

Link: https://lkml.kernel.org/r/Y5FRm/cfcKPGzWwl@slm.duckdns.org
Fixes: 347c4a8747 ("memcg: remove cgroup_event->cft")
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Jann Horn <jannh@google.com>
Acked-by: Roman Gushchin <roman.gushchin@linux.dev>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Muchun Song <songmuchun@bytedance.com>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: <stable@vger.kernel.org>	[3.14+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2022-12-09 18:41:17 -08:00
Muchun Song a501788ab2 MAINTAINERS: update Muchun Song's email
I'm moving to the @linux.dev account.  Map my old addresses and update it
to my new address.

Link: https://lkml.kernel.org/r/20221208115548.85244-1-songmuchun@bytedance.com
Signed-off-by: Muchun Song <songmuchun@bytedance.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2022-12-09 18:41:17 -08:00
John Starks fcd0ccd836 mm/gup: fix gup_pud_range() for dax
For dax pud, pud_huge() returns true on x86. So the function works as long
as hugetlb is configured. However, dax doesn't depend on hugetlb.
Commit 414fd080d1 ("mm/gup: fix gup_pmd_range() for dax") fixed
devmap-backed huge PMDs, but missed devmap-backed huge PUDs. Fix this as
well.

This fixes the below kernel panic:

general protection fault, probably for non-canonical address 0x69e7c000cc478: 0000 [#1] SMP
	< snip >
Call Trace:
<TASK>
get_user_pages_fast+0x1f/0x40
iov_iter_get_pages+0xc6/0x3b0
? mempool_alloc+0x5d/0x170
bio_iov_iter_get_pages+0x82/0x4e0
? bvec_alloc+0x91/0xc0
? bio_alloc_bioset+0x19a/0x2a0
blkdev_direct_IO+0x282/0x480
? __io_complete_rw_common+0xc0/0xc0
? filemap_range_has_page+0x82/0xc0
generic_file_direct_write+0x9d/0x1a0
? inode_update_time+0x24/0x30
__generic_file_write_iter+0xbd/0x1e0
blkdev_write_iter+0xb4/0x150
? io_import_iovec+0x8d/0x340
io_write+0xf9/0x300
io_issue_sqe+0x3c3/0x1d30
? sysvec_reschedule_ipi+0x6c/0x80
__io_queue_sqe+0x33/0x240
? fget+0x76/0xa0
io_submit_sqes+0xe6a/0x18d0
? __fget_light+0xd1/0x100
__x64_sys_io_uring_enter+0x199/0x880
? __context_tracking_enter+0x1f/0x70
? irqentry_exit_to_user_mode+0x24/0x30
? irqentry_exit+0x1d/0x30
? __context_tracking_exit+0xe/0x70
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fc97c11a7be
	< snip >
</TASK>
---[ end trace 48b2e0e67debcaeb ]---
RIP: 0010:internal_get_user_pages_fast+0x340/0x990
	< snip >
Kernel panic - not syncing: Fatal exception
Kernel Offset: disabled

Link: https://lkml.kernel.org/r/1670392853-28252-1-git-send-email-ssengar@linux.microsoft.com
Fixes: 414fd080d1 ("mm/gup: fix gup_pmd_range() for dax")
Signed-off-by: John Starks <jostarks@microsoft.com>
Signed-off-by: Saurabh Sengar <ssengar@linux.microsoft.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Yu Zhao <yuzhao@google.com>
Cc: Jason Gunthorpe <jgg@nvidia.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2022-12-09 18:41:17 -08:00
Liam Howlett 6c28ca6485 mmap: fix do_brk_flags() modifying obviously incorrect VMAs
Add more sanity checks to the VMA that do_brk_flags() will expand.  Ensure
the VMA matches basic merge requirements within the function before
calling can_vma_merge_after().

Drop the duplicate checks from vm_brk_flags() since they will be enforced
later.

The old code would expand file VMAs on brk(), which is functionally
wrong and also dangerous in terms of locking because the brk() path
isn't designed for file VMAs and therefore doesn't lock the file
mapping.  Checking can_vma_merge_after() ensures that new anonymous
VMAs can't be merged into file VMAs.

See https://lore.kernel.org/linux-mm/CAG48ez1tJZTOjS_FjRZhvtDA-STFmdw8PEizPDwMGFd_ui0Nrw@mail.gmail.com/

Link: https://lkml.kernel.org/r/20221205192304.1957418-1-Liam.Howlett@oracle.com
Fixes: 2e7ce7d354 ("mm/mmap: change do_brk_flags() to expand existing VMA and add do_brk_munmap()")
Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Suggested-by: Jann Horn <jannh@google.com>
Cc: Jason A. Donenfeld <Jason@zx2c4.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: SeongJae Park <sj@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Yu Zhao <yuzhao@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2022-12-09 18:41:16 -08:00
David Hildenbrand 630dc25e43 mm/swap: fix SWP_PFN_BITS with CONFIG_PHYS_ADDR_T_64BIT on 32bit
We use "unsigned long" to store a PFN in the kernel and phys_addr_t to
store a physical address.

On a 64bit system, both are 64bit wide.  However, on a 32bit system, the
latter might be 64bit wide.  This is, for example, the case on x86 with
PAE: phys_addr_t and PTEs are 64bit wide, while "unsigned long" only spans
32bit.

The current definition of SWP_PFN_BITS without MAX_PHYSMEM_BITS misses
that case, and assumes that the maximum PFN is limited by an 32bit
phys_addr_t.  This implies, that SWP_PFN_BITS will currently only be able
to cover 4 GiB - 1 on any 32bit system with 4k page size, which is wrong.

Let's rely on the number of bits in phys_addr_t instead, but make sure to
not exceed the maximum swap offset, to not make the BUILD_BUG_ON() in
is_pfn_swap_entry() unhappy.  Note that swp_entry_t is effectively an
unsigned long and the maximum swap offset shares that value with the swap
type.

For example, on an 8 GiB x86 PAE system with a kernel config based on
Debian 11.5 (-> CONFIG_FLATMEM=y, CONFIG_X86_PAE=y), we will currently
fail removing migration entries (remove_migration_ptes()), because
mm/page_vma_mapped.c:check_pte() will fail to identify a PFN match as
swp_offset_pfn() wrongly masks off PFN bits.  For example,
split_huge_page_to_list()->...->remap_page() will leave migration entries
in place and continue to unlock the page.

Later, when we stumble over these migration entries (e.g., via
/proc/self/pagemap), pfn_swap_entry_to_page() will BUG_ON() because these
migration entries shouldn't exist anymore and the page was unlocked.

[   33.067591] kernel BUG at include/linux/swapops.h:497!
[   33.067597] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[   33.067602] CPU: 3 PID: 742 Comm: cow Tainted: G            E      6.1.0-rc8+ #16
[   33.067605] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014
[   33.067606] EIP: pagemap_pmd_range+0x644/0x650
[   33.067612] Code: 00 00 00 00 66 90 89 ce b9 00 f0 ff ff e9 ff fb ff ff 89 d8 31 db e8 48 c6 52 00 e9 23 fb ff ff e8 61 83 56 00 e9 b6 fe ff ff <0f> 0b bf 00 f0 ff ff e9 38 fa ff ff 3e 8d 74 26 00 55 89 e5 57 31
[   33.067615] EAX: ee394000 EBX: 00000002 ECX: ee394000 EDX: 00000000
[   33.067617] ESI: c1b0ded4 EDI: 00024a00 EBP: c1b0ddb4 ESP: c1b0dd68
[   33.067619] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010246
[   33.067624] CR0: 80050033 CR2: b7a00000 CR3: 01bbbd20 CR4: 00350ef0
[   33.067625] Call Trace:
[   33.067628]  ? madvise_free_pte_range+0x720/0x720
[   33.067632]  ? smaps_pte_range+0x4b0/0x4b0
[   33.067634]  walk_pgd_range+0x325/0x720
[   33.067637]  ? mt_find+0x1d6/0x3a0
[   33.067641]  ? mt_find+0x1d6/0x3a0
[   33.067643]  __walk_page_range+0x164/0x170
[   33.067646]  walk_page_range+0xf9/0x170
[   33.067648]  ? __kmem_cache_alloc_node+0x2a8/0x340
[   33.067653]  pagemap_read+0x124/0x280
[   33.067658]  ? default_llseek+0x101/0x160
[   33.067662]  ? smaps_account+0x1d0/0x1d0
[   33.067664]  vfs_read+0x90/0x290
[   33.067667]  ? do_madvise.part.0+0x24b/0x390
[   33.067669]  ? debug_smp_processor_id+0x12/0x20
[   33.067673]  ksys_pread64+0x58/0x90
[   33.067675]  __ia32_sys_ia32_pread64+0x1b/0x20
[   33.067680]  __do_fast_syscall_32+0x4c/0xc0
[   33.067683]  do_fast_syscall_32+0x29/0x60
[   33.067686]  do_SYSENTER_32+0x15/0x20
[   33.067689]  entry_SYSENTER_32+0x98/0xf1

Decrease the indentation level of SWP_PFN_BITS and SWP_PFN_MASK to keep it
readable and consistent.

[david@redhat.com: rely on sizeof(phys_addr_t) and min_t() instead]
  Link: https://lkml.kernel.org/r/20221206105737.69478-1-david@redhat.com
[david@redhat.com: use "int" for comparison, as we're only comparing numbers < 64]
  Link: https://lkml.kernel.org/r/1f157500-2676-7cef-a84e-9224ed64e540@redhat.com
Link: https://lkml.kernel.org/r/20221205150857.167583-1-david@redhat.com
Fixes: 0d206b5d2e ("mm/swap: add swp_offset_pfn() to fetch PFN from swap entry")
Signed-off-by: David Hildenbrand <david@redhat.com>
Acked-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Yang Shi <shy828301@gmail.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2022-12-09 18:41:16 -08:00
Hugh Dickins 44bcabd70c tmpfs: fix data loss from failed fallocate
Fix tmpfs data loss when the fallocate system call is interrupted by a
signal, or fails for some other reason.  The partial folio handling in
shmem_undo_range() forgot to consider this unfalloc case, and was liable
to erase or truncate out data which had already been committed earlier.

It turns out that none of the partial folio handling there is appropriate
for the unfalloc case, which just wants to proceed to removal of whole
folios: which find_get_entries() provides, even when partially covered.

Original patch by Rui Wang.

Link: https://lore.kernel.org/linux-mm/33b85d82.7764.1842e9ab207.Coremail.chenguoqic@163.com/
Link: https://lkml.kernel.org/r/a5dac112-cf4b-7af-a33-f386e347fd38@google.com
Fixes: b9a8a4195c ("truncate,shmem: Handle truncates that split large folios")
Signed-off-by: Hugh Dickins <hughd@google.com>
Reported-by: Guoqi Chen <chenguoqic@163.com>
  Link: https://lore.kernel.org/all/20221101032248.819360-1-kernel@hev.cc/
Cc: Rui Wang <kernel@hev.cc>
Cc: Huacai Chen <chenhuacai@loongson.cn>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Vishal Moola (Oracle) <vishal.moola@gmail.com>
Cc: <stable@vger.kernel.org>	[5.17+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2022-12-09 18:41:16 -08:00
Michal Hocko de16d6e4a9 kselftests: cgroup: update kmem test precision tolerance
1813e51eec ("memcg: increase MEMCG_CHARGE_BATCH to 64") has changed
the batch size while this test case has been left behind. This has led
to a test failure reported by test bot:
not ok 2 selftests: cgroup: test_kmem # exit=1

Update the tolerance for the pcp charges to reflect the
MEMCG_CHARGE_BATCH change to fix this.

[akpm@linux-foundation.org: update comments, per Roman]
Link: https://lkml.kernel.org/r/Y4m8Unt6FhWKC6IH@dhcp22.suse.cz
Fixes: 1813e51eec ("memcg: increase MEMCG_CHARGE_BATCH to 64")
Signed-off-by: Michal Hocko <mhocko@suse.com>
Reported-by: kernel test robot <yujie.liu@intel.com>
  Link: https://lore.kernel.org/oe-lkp/202212010958.c1053bd3-yujie.liu@intel.com
Acked-by: Shakeel Butt <shakeelb@google.com>
Acked-by: Roman Gushchin <roman.gushchin@linux.dev>
Tested-by: Yujie Liu <yujie.liu@intel.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Feng Tang <feng.tang@intel.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: "Michal Koutný" <mkoutny@suse.com>
Cc: Muchun Song <songmuchun@bytedance.com>
Cc: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2022-12-09 18:41:16 -08:00
Jason A. Donenfeld f5ad508340 mm: do not BUG_ON missing brk mapping, because userspace can unmap it
The following program will trigger the BUG_ON that this patch removes,
because the user can munmap() mm->brk:

  #include <sys/syscall.h>
  #include <sys/mman.h>
  #include <assert.h>
  #include <unistd.h>

  static void *brk_now(void)
  {
    return (void *)syscall(SYS_brk, 0);
  }

  static void brk_set(void *b)
  {
    assert(syscall(SYS_brk, b) != -1);
  }

  int main(int argc, char *argv[])
  {
    void *b = brk_now();
    brk_set(b + 4096);
    assert(munmap(b - 4096, 4096 * 2) == 0);
    brk_set(b);
    return 0;
  }

Compile that with musl, since glibc actually uses brk(), and then
execute it, and it'll hit this splat:

  kernel BUG at mm/mmap.c:229!
  invalid opcode: 0000 [#1] PREEMPT SMP
  CPU: 12 PID: 1379 Comm: a.out Tainted: G S   U             6.1.0-rc7+ #419
  RIP: 0010:__do_sys_brk+0x2fc/0x340
  Code: 00 00 4c 89 ef e8 04 d3 fe ff eb 9a be 01 00 00 00 4c 89 ff e8 35 e0 fe ff e9 6e ff ff ff 4d 89 a7 20>
  RSP: 0018:ffff888140bc7eb0 EFLAGS: 00010246
  RAX: 0000000000000000 RBX: 00000000007e7000 RCX: ffff8881020fe000
  RDX: ffff8881020fe001 RSI: ffff8881955c9b00 RDI: ffff8881955c9b08
  RBP: 0000000000000000 R08: ffff8881955c9b00 R09: 00007ffc77844000
  R10: 0000000000000000 R11: 0000000000000001 R12: 00000000007e8000
  R13: 00000000007e8000 R14: 00000000007e7000 R15: ffff8881020fe000
  FS:  0000000000604298(0000) GS:ffff88901f700000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000603fe0 CR3: 000000015ba9a005 CR4: 0000000000770ee0
  PKRU: 55555554
  Call Trace:
   <TASK>
   do_syscall_64+0x2b/0x50
   entry_SYSCALL_64_after_hwframe+0x46/0xb0
  RIP: 0033:0x400678
  Code: 10 4c 8d 41 08 4c 89 44 24 10 4c 8b 01 8b 4c 24 08 83 f9 2f 77 0a 4c 8d 4c 24 20 4c 01 c9 eb 05 48 8b>
  RSP: 002b:00007ffc77863890 EFLAGS: 00000212 ORIG_RAX: 000000000000000c
  RAX: ffffffffffffffda RBX: 000000000040031b RCX: 0000000000400678
  RDX: 00000000004006a1 RSI: 00000000007e6000 RDI: 00000000007e7000
  RBP: 00007ffc77863900 R08: 0000000000000000 R09: 00000000007e6000
  R10: 00007ffc77863930 R11: 0000000000000212 R12: 00007ffc77863978
  R13: 00007ffc77863988 R14: 0000000000000000 R15: 0000000000000000
   </TASK>

Instead, just return the old brk value if the original mapping has been
removed.

[akpm@linux-foundation.org: fix changelog, per Liam]
Link: https://lkml.kernel.org/r/20221202162724.2009-1-Jason@zx2c4.com
Fixes: 2e7ce7d354 ("mm/mmap: change do_brk_flags() to expand existing VMA and add do_brk_munmap()")
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Reviewed-by: SeongJae Park <sj@kernel.org>
Cc: Yu Zhao <yuzhao@google.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Sven Schnelle <svens@linux.ibm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Jann Horn <jannh@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2022-12-09 18:41:16 -08:00
Matti Vaittinen 38f1d4aefd mailmap: update Matti Vaittinen's email address
The email backend used by ROHM keeps labeling patches as spam.  This can
result in missing the patches.

Switch my mail address from a company mail to a personal one.

Link: https://lkml.kernel.org/r/8f4498b66fedcbded37b3b87e0c516e659f8f583.1669912977.git.mazziesaccount@gmail.com
Signed-off-by: Matti Vaittinen <mazziesaccount@gmail.com>
Suggested-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Cc: Anup Patel <anup@brainfault.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Atish Patra <atishp@atishpatra.org>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Ben Widawsky <bwidawsk@kernel.org>
Cc: Bjorn Andersson <andersson@kernel.org>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Colin Ian King <colin.i.king@gmail.com>
Cc: Kirill Tkhai <tkhai@ya.ru>
Cc: Qais Yousef <qyousef@layalina.io>
Cc: Vasily Averin <vasily.averin@linux.dev>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2022-12-09 18:41:16 -08:00
Linus Torvalds 3ecc37918c media fixes for v6.1-rc9
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEE+QmuaPwR3wnBdVwACF8+vY7k4RUFAmOTgE4ACgkQCF8+vY7k
 4RVcCw//Q/s+K++YZntwxHSz2MDiKhfN8qIpNGmH93aCO9799LXYZ5qod9pCHTur
 SKhwcZ50mk1k3PdtIFgLEtvYijFROo/NdEemaGgq00O0I/lD6Ja+IqFAVNqeU6fM
 Lof50HBHvpq3xtx3pRqRxPb2u7eO/nIfDP5we1ul0r0BZiOcSi49cN+WFNwxx6Xb
 vMClq1iF4IWQhcj/ivzhp8tw1rca3NDRHra4qaGVvnK+mkb9Ljffbgv0LNM4+gKE
 A8Nqetu/p0f4A4aOxBwI8tp8QofIZKGWZj+ACZbfrPiMHL95A5d9QLfcTdoBpEb1
 I9hbWLMJKL8yYZ5B6bfwmH5vGPn1FNDSH+rh+GBT77rNUCWqX5JpD+u+CAJTudWf
 VE25YoBUEEm/ooeC30OwjBGe4oyyOIJYeQ1lCmSpl+u2VN59qD4ghrRJU7TY0eyy
 pYEC3Jm8q5KR0uHfsgm4ooE/eYKGmG20PxlcdJvMBZAqJ91/w/JhsH1FBm9NpiJY
 SGtbOT4DxJi1SiByW/oREglnCy3/N0lVLZnoH6etWqVaWeEpWLSyZc/uN6+BjTg9
 b4UdDgpBQpk1chYx+MogejNgLw7PnK1e23rSjhqgg57hzry+ruO1KmTFJnBG4iro
 6/GobKneqbBA9XcYqK43f7E/T7g0r+KpDG+/KyrhHCKC4Wrjztg=
 =qVM+
 -----END PGP SIGNATURE-----

Merge tag 'media/v6.1-4' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media

Pull media fix from Mauro Carvalho Chehab:
 "A v4l-core fix related to validating DV timings related to video
  blanking values"

* tag 'media/v6.1-4' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
  media: v4l2-dv-timings.c: fix too strict blanking sanity checks
2022-12-09 10:45:51 -08:00
Linus Torvalds 9857feb3f6 ARM: SoC fixes for 6.1, part 6
One more last minute revert for a boot regression that was
 found on the popular colibri-imx7.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEo6/YBQwIrVS28WGKmmx57+YAGNkFAmOTUd0ACgkQmmx57+YA
 GNnOFhAAmtry/kRqhEEdq7ZmLCYz1XKWOWWlaiFmfCpRoMqzV0UD1pvme1AYP1BR
 cGksmgznFfvrT1+5/QJN1vteE3RbkSJ07feYjEIuRYnRfe4epNbSTbQDdN4r0Q02
 cHt/HpV+cLX7UIN+3EyBVpHQGaMOQ7BkIMnkTe8M3lUugF340pgXh4Auk7Rv09Me
 51+Lw1mrXbmropLbMawTD3Kg/83RnuMqeqshyPqA7jMA2/j9QaKyODzVRIlLQ8jH
 Cv6HT5zCDYIupVv8IJa4CSu9BPx9U86ZisFHwJM+2+5lKpIGGI5kBIx7Y7gtTxHx
 3KtOlyqDGfFInqQjJP+UUlW5N7SXmSfI/o9b2RFW/mtj6htSkpHkXRqOQ7VGN9hG
 z6+nqBokWtzQFjJW4Rk1WqJGz3rLRHkOL+pgsf4r2AjxhkvQDskOdxlJKAQCUvXp
 vd0YhENBkeo2LpKxAJWbBo2GCz+1ZXKg1waarn55OSXzAvK+YeFvA3/89t15csbo
 ECYHecepJxfb8tOKds81ecQxqkckHzE+sV0LFCEH5SE5lgH8OOXLe9ZusUP/a1MH
 ns+4HhTSx4FWkmmTSQjNFOvvq5NAfM6cx0ZJqpchjhGE6V8RJxaUjkpkWKvRbtay
 2p+/dZRqVgiVTApZS+iv8hoC3oZHRB4cp4y9gFfTvjPrZ1ruGtM=
 =3aYL
 -----END PGP SIGNATURE-----

Merge tag 'soc-fixes-6.1-6' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

Pull ARM SoC fix from Arnd Bergmann:
 "One more last minute revert for a boot regression that was found on
  the popular colibri-imx7"

* tag 'soc-fixes-6.1-6' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
  Revert "ARM: dts: imx7: Fix NAND controller size-cells"
2022-12-09 10:32:40 -08:00
Linus Torvalds 0d1409e4ff drm fixes for 6.1-rc9
amdgpu:
 - S0ix fix
 - DCN 3.2 array out of bounds fix
 
 shmem:
 - Fixes to shmem-helper error paths.
 
 bridge:
 - Fix polarity bug in bridge/ti-sn65dsi86.
 
 dw-hdmi:
 - Prefer 8-bit RGB fallback before any YUV mode in dw-hdmi, since some
   panels lie about YUV support.
 
 vmwgfx:
 - Stop using screen objects when SEV is active.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEEKbZHaGwW9KfbeusDHTzWXnEhr4FAmOShH0ACgkQDHTzWXnE
 hr6dwA//XFUQOnyW+n3zqIC8xwXVy9jUl2lMi2yJKqQgsJUsDYhUDsSaa1MFd7fq
 GN1A91ehbrjnPT8pvDDU5hmOtB/zNMuz9Tf0/7wQxs3r+jPrKZohneq9oDNv3GBp
 jONhKZLL64hHpzro4ZyW7ESWkJBIFetDTfxuoLid7o+0poAEjd4Yt4jIbonMlKKY
 U1JWLKKB/8oxr0onrx9B0q4Fv8to16rDF86V+ArjNJxNKu6uj1OSKJr7wJmeZsx1
 PaMjjSVfS1vQdnIUNByEXHFrRKgdz3xkjfPYdPV5ykGKM4y43Wc74LkX86DPFUmI
 esXZSsqDky2D3q1MOrarcS5fN/CRZr37X9Se21kkGUJpHHuGZdlfnOXazR8bTLHu
 1ItIsg6AO2dlnoATWkFxj71us9c7O5VV633lc1GIClW3Xl1w7l63EjpRc6uAg76s
 284RBQF4lzOKAMeeXtNElb6i/gr0HuXKjEUxlqMnjCa30BwNjAxMBVo2hev+v53d
 Y0nVlSRhNKkS3oVZEf0SQHYhjk6a8XjecDcHUhN1tT0q15MBy3ght3mDy4dCSkq0
 xje3jjocasxz/ka90oJEv11Pd1An07OrcOBFohuuyHEl1P4gXMSmUfh8YhQUrY//
 krpVTmIViCcOWLo56oVk8U9bqFGdSC4oH3O7MEKYwWZIawsV4sU=
 =bsB6
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-2022-12-09' of git://anongit.freedesktop.org/drm/drm

Pull drm fixes from Dave Airlie:
 "Last set of fixes for final, scattered bunch of fixes, two amdgpu, one
  vmwgfx, and some misc others.

  amdgpu:
   - S0ix fix
   - DCN 3.2 array out of bounds fix

  shmem:
   - Fixes to shmem-helper error paths

  bridge:
   - Fix polarity bug in bridge/ti-sn65dsi86

  dw-hdmi:
   - Prefer 8-bit RGB fallback before any YUV mode in dw-hdmi, since
     some panels lie about YUV support

  vmwgfx:
   - Stop using screen objects when SEV is active"

* tag 'drm-fixes-2022-12-09' of git://anongit.freedesktop.org/drm/drm:
  drm/amd/display: fix array index out of bound error in DCN32 DML
  drm/amdgpu/sdma_v4_0: turn off SDMA ring buffer in the s2idle suspend
  drm/vmwgfx: Don't use screen objects when SEV is active
  drm/shmem-helper: Avoid vm_open error paths
  drm/shmem-helper: Remove errant put in error path
  drm: bridge: dw_hdmi: fix preference of RGB modes over YUV420
  drm/bridge: ti-sn65dsi86: Fix output polarity setting bug
  drm/vmwgfx: Fix race issue calling pin_user_pages
2022-12-08 16:58:31 -08:00
Dave Airlie c4252650a8 Merge tag 'drm-misc-fixes-2022-12-08' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes
drm-misc-fixes for v6.1 final?:
- Fix polarity bug in bridge/ti-sn65dsi86.
- Prefer 8-bit RGB fallback before any YUV mode in dw-hdmi, since some
  panels lie about YUV support.
- Fixes to shmem-helper error paths.
- Small vmwgfx to stop using screen objects when SEV is active.

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/8110f02d-d155-926e-8674-c88b806c3a3a@linux.intel.com
2022-12-09 10:11:06 +10:00
Dave Airlie b4b241ad3f Merge tag 'amd-drm-fixes-6.1-2022-12-07' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes
amd-drm-fixes-6.1-2022-12-07:

amdgpu:
- S0ix fix
- DCN 3.2 array out of bounds fix

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Alex Deucher <alexander.deucher@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20221207222751.9558-1-alexander.deucher@amd.com
2022-12-09 10:09:58 +10:00
Linus Torvalds 859c73d439 block-6.1-2022-12-08
-----BEGIN PGP SIGNATURE-----
 
 iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAmOSTGAQHGF4Ym9lQGtl
 cm5lbC5kawAKCRD301j7KXHgpkW4D/49G+WuEFbBE4kM2Jk56tDgdNH611jsetvk
 k5MmaK62FkAGBfoNl6pRpiqpV/MyJyS//SytyJpsv1Fj7InNkpEzbI7cxvbflm4t
 D4/7Pg9VZgtNwrtq2M2t5NeM28scFFjQq3buzYGM6iKrwfcsLagkKiVU7cx0kTEl
 7hzlG2t/FDwBLWCmDSRHVKMB3JJa5hIxpnZklHBmNBpmNh9rl4F2hCwpmi5x+0t+
 qyti+1PRSknEQKspCMNcZvZwVmz0G3QZh2xYWNPkL0fxdQ7hpM65SV5DUs3SLjAr
 FUt9UsvgTdeZ8uhfS1Ft6KgjM9x1hiZx0UYwASQxRdz7fhoG7ygRK9KY5r5v1cbr
 lcUdwl5NJkPllDm5CZNCXMQYJlYMuA7J1VAMG+IZ/Iu5XiEFaEmOEzNrmmW0NZ57
 5Z+2isfo24GGhRk78ryjuqXuwMhM3+DaYeS9+9/h84JcldUtrglOlG6CzX0sHhch
 8xVCN3JVYc9/uWmIwb6QSIEZKNlsqkbiv5Gru1uu2pzX8MtuyC21rIIh8AUOSFl+
 740prC6//wUxDcOHrA0aphubQADImi9RF5J5+40lE1NxSnAz1nMisZ1G7ywIwb+j
 WjFbzW5p7ddO3DZFV+FENZ4QKFTDsR+3/tbbNdQpSmGEKk/KoT1jZyOVnoHsBSkd
 Q7B23nEe8w==
 =JkGh
 -----END PGP SIGNATURE-----

Merge tag 'block-6.1-2022-12-08' of git://git.kernel.dk/linux

Pull block fix from Jens Axboe:
 "A small fix for initializing the NVMe quirks before initializing the
  subsystem"

* tag 'block-6.1-2022-12-08' of git://git.kernel.dk/linux:
  nvme initialize core quirks before calling nvme_init_subsystem
2022-12-08 15:53:39 -08:00
Linus Torvalds af145500af io_uring-6.1-2022-12-08
-----BEGIN PGP SIGNATURE-----
 
 iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAmOSTH0QHGF4Ym9lQGtl
 cm5lbC5kawAKCRD301j7KXHgpmqXEACoMjqAV3E6E3D7aC3Q+Ngiaok8rJkRpZ9z
 8dKf+ATCw7XJMwEFix+Pqxq+O3fVfYudGiHRZA2CUCmVGkE7t2BHKxcT0vEJ2iAA
 GiyFh+BRN92vD8cwwCVwT0Z518vRHsUNFxkj65dOwUm/v02ThddkQG2mYFcZqG8f
 bKXsaSiTSrV6nxfHHuQuQ5VQcgCTjaGaFKNC7ivpi8UMT+cpcDOyWmP75JmD36s2
 xfXFFSC+gwoyMHqZnL4CyrhoH0qEtcNxSh9CEe1h7u8fc6dAw95UJtaXXH+GdlY1
 xlqYXk+yqWDzxnh9xyfJIRMs6Jm1Xk84Nz+24kB1wR/XZkwaz0ckDZRhp5oEomIa
 /8/bMVoqXnogc5pdHcCQXkT3dM33RKXbwnB7T4MrBvf6+iN3CcmHEH857VDfhzog
 hK6efbNDd6tIR9OxuSCFEiK+8w/tGmaaeMnTVdYywMwxAaGvQoKt3aLqXU00xwGy
 hN8VrHr9CUZafcOrNQ97YOexQqDaJOue2lbGu69qDlvkNwCgjbS1eTgJTIjbJtPA
 5IgQI5sVbuOoACmIT4i8H9s9+Y3UneBHaN6w6MCb0xaSV9qB+PjH0ew19yMhYZ1n
 mcxiiJel9tUVhUmF8NWu8SLCs2kVfMFYsZAblYA+35e56CHjxbmm3uTAoief+co3
 rj4ypuHm0w==
 =Ln4/
 -----END PGP SIGNATURE-----

Merge tag 'io_uring-6.1-2022-12-08' of git://git.kernel.dk/linux

Pull io_uring fix from Jens Axboe:
 "A single small fix for an issue related to ordering between
  cancelation and current->io_uring teardown"

* tag 'io_uring-6.1-2022-12-08' of git://git.kernel.dk/linux:
  io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()
2022-12-08 15:44:09 -08:00
Linus Torvalds 010b6761a9 Including fixes from bluetooth, can and netfilter.
Current release - new code bugs:
 
  - bonding: ipv6: correct address used in Neighbour Advertisement
    parsing (src vs dst typo)
 
  - fec: properly scope IRQ coalesce setup during link up to supported
    chips only
 
 Previous releases - regressions:
 
  - Bluetooth fixes for fake CSR clones (knockoffs):
    - re-add ERR_DATA_REPORTING quirk
    - fix crash when device is replugged
 
  - Bluetooth:
    - silence a user-triggerable dmesg error message
    - L2CAP: fix u8 overflow, oob access
    - correct vendor codec definition
    - fix support for Read Local Supported Codecs V2
 
  - ti: am65-cpsw: fix RGMII configuration at SPEED_10
 
  - mana: fix race on per-CQ variable NAPI work_done
 
 Previous releases - always broken:
 
  - af_unix: diag: fetch user_ns from in_skb in unix_diag_get_exact(),
    avoid null-deref
 
  - af_can: fix NULL pointer dereference in can_rcv_filter
 
  - can: slcan: fix UAF with a freed work
 
  - can: can327: flush TX_work on ldisc .close()
 
  - macsec: add missing attribute validation for offload
 
  - ipv6: avoid use-after-free in ip6_fragment()
 
  - nft_set_pipapo: actually validate intervals in fields
    after the first one
 
  - mvneta: prevent oob access in mvneta_config_rss()
 
  - ipv4: fix incorrect route flushing when table ID 0 is used,
    or when source address is deleted
 
  - phy: mxl-gpy: add workaround for IRQ bug on GPY215B and GPY215C
 
 Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEE6jPA+I1ugmIBA4hXMUZtbf5SIrsFAmOSS98ACgkQMUZtbf5S
 Irssbg//aTPi8bJgyM/yH83QK1+6t23xiW0YscJG3CXr+lTIvXKRoyPjUwNmy1TG
 xr5+dkW73nEVr3Uxkunn1qo+74yYpwewd1gamOxmjD+TDIb2xn/ErN61X506eXTy
 59thWoAMD0EOQrqDIcD4SEfdNMaASrJSD4t8rXwk/h7LMw+mrIsWNSeFL4HpgHOw
 lYwujLwDkkDJNWDWI8NcJiR3i+l7JGOHkcdYfhBZIodBCQ1y/u3AVpK0qZd6eeFs
 3Waz7a0q9M0glHhXXMdN/v+XjxKRE1evkMjv842zABTSLy4lKKZPn//pXwA+bZ24
 qHw2y1a7ZHiRBQMqNCddxzHhe6kfq8OyrCDAI8qupBTNFBXXKzJyxCrbabPNeern
 YW0oggN9dTkES17OeHraA5O8km1L6tfIbm6BLteXAwM4hDoxBSMQYtEDF26P4K1K
 UYufBjfL/hPhuoYNFZ//0laLow+6k8Sl7Pdk/fwd8InCb59YrYUpjod7kXMByw7m
 ++FO3guxnk32ZEWduG3Gc203Vi4acRrQkGqWbhMZtH+ccxexx2Efl6Xn+sq7r9Dv
 rl/PIQiuGdoFf7OaW64FS2Nj8eVAPcqbYUMEc3EBrFDs/CvGTkyzRUcQoLdEf2zu
 p2ldFTerGtek9F7dUs4GZr/vw29n0Q2dPdQVFIcuXo3Nz3wFNKI=
 =+mCl
 -----END PGP SIGNATURE-----

Merge tag 'net-6.1-rc9' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

Pull networking fixes from Jakub Kicinski:
 "Including fixes from bluetooth, can and netfilter.

  Current release - new code bugs:

   - bonding: ipv6: correct address used in Neighbour Advertisement
     parsing (src vs dst typo)

   - fec: properly scope IRQ coalesce setup during link up to supported
     chips only

  Previous releases - regressions:

   - Bluetooth fixes for fake CSR clones (knockoffs):
       - re-add ERR_DATA_REPORTING quirk
       - fix crash when device is replugged

   - Bluetooth:
       - silence a user-triggerable dmesg error message
       - L2CAP: fix u8 overflow, oob access
       - correct vendor codec definition
       - fix support for Read Local Supported Codecs V2

   - ti: am65-cpsw: fix RGMII configuration at SPEED_10

   - mana: fix race on per-CQ variable NAPI work_done

  Previous releases - always broken:

   - af_unix: diag: fetch user_ns from in_skb in unix_diag_get_exact(),
     avoid null-deref

   - af_can: fix NULL pointer dereference in can_rcv_filter

   - can: slcan: fix UAF with a freed work

   - can: can327: flush TX_work on ldisc .close()

   - macsec: add missing attribute validation for offload

   - ipv6: avoid use-after-free in ip6_fragment()

   - nft_set_pipapo: actually validate intervals in fields after the
     first one

   - mvneta: prevent oob access in mvneta_config_rss()

   - ipv4: fix incorrect route flushing when table ID 0 is used, or when
     source address is deleted

   - phy: mxl-gpy: add workaround for IRQ bug on GPY215B and GPY215C"

* tag 'net-6.1-rc9' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (77 commits)
  net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing()
  s390/qeth: fix use-after-free in hsci
  macsec: add missing attribute validation for offload
  net: mvneta: Fix an out of bounds check
  net: thunderbolt: fix memory leak in tbnet_open()
  ipv6: avoid use-after-free in ip6_fragment()
  net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq()
  net: phy: mxl-gpy: add MDINT workaround
  net: dsa: mv88e6xxx: accept phy-mode = "internal" for internal PHY ports
  xen/netback: don't call kfree_skb() under spin_lock_irqsave()
  dpaa2-switch: Fix memory leak in dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove()
  ethernet: aeroflex: fix potential skb leak in greth_init_rings()
  tipc: call tipc_lxc_xmit without holding node_read_lock
  can: esd_usb: Allow REC and TEC to return to zero
  can: can327: flush TX_work on ldisc .close()
  can: slcan: fix freed work crash
  can: af_can: fix NULL pointer dereference in can_rcv_filter
  net: dsa: sja1105: fix memory leak in sja1105_setup_devlink_regions()
  ipv4: Fix incorrect route flushing when table ID 0 is used
  ipv4: Fix incorrect route flushing when source address is deleted
  ...
2022-12-08 15:32:13 -08:00
Linus Torvalds ce19275f01 for-linus-2022120801
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIVAwUAY5JD7aZi849r7WBJAQJtHw//WSKVFMKLq5P0PatMFBusJspse2ZsGFpI
 fumeGoNxd2/Gbj2eRrer5/1D5XU2VXC6Ot9/Rz3oIaOGWQkShjntoWhdpOxPCFI6
 bm2s78iPFSCubwi986vgI4/IOWsqWFcDbIWgn8i9q+ZkUDykIiIsbUAo7FyoX53i
 J34H8+NpQy5gPHXcSpWf83XBBidYC1uPtOk4k+W/SMOgS4UaVn3NAI2W/eKharlG
 kfepb6WRPiFDT/9opMb+PFmp62UeZyImQCxh/S0AjZArCg0A6u01Ou5moizprE2q
 qMgGk1MhruxVmSaCkSnYXn/xbW2JucyU7V2IPWTaBG5IGDUsdAibCD7YblPG/Gm5
 KZ4mz7zazc6gwn63/bxmBMbcfEHg1TUuH5EUW+tY9I/yAVlvYndS76WFCpaiqZfT
 uwq4aOVwZ2lPtmww/D0EZsTKtilhGTaSUW+/XdbGWLm4X9dKB+QJNzr8n00FeUDb
 g+pdqK6+oTviKd6WDIgU7PwBTED8aYF9krknl7U61scTAod5pivdk2GEX+7mAiYq
 ir/Hhrl0h2bO3XGNA5ViW2yNMVLFeFi4jAP5Wwk9X1polyMBicaqVe0M+IK2XCoT
 U8yhHYPnxrjfei8cd0gY56lzxKmI+Np6EVTVFA3big/wZ2jmjenFdgMLVP8Cw0H+
 RkfkW7pqZpQ=
 =eEFh
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-2022120801' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid

Pull HID fixes from Jiri Kosina:
 "A regression fix for handling Logitech HID++ devices and memory
  corruption fixes:

   - regression fix (revert) for catch-all handling of Logitech HID++
     Bluetooth devices; there are devices that turn out not to work with
     this, and the root cause is yet to be properly understood. So we
     are dropping it for now, and it will be revisited for 6.2 or 6.3
     (Benjamin Tissoires)

   - memory corruption fix in HID core (ZhangPeng)

   - memory corruption fix in hid-lg4ff (Anastasia Belova)

   - Kconfig fix for I2C_HID (Benjamin Tissoires)

   - a few device-id specific quirks that piggy-back on top of the
     important fixes above"

* tag 'for-linus-2022120801' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
  Revert "HID: logitech-hidpp: Enable HID++ for all the Logitech Bluetooth devices"
  Revert "HID: logitech-hidpp: Remove special-casing of Bluetooth devices"
  HID: usbhid: Add ALWAYS_POLL quirk for some mice
  HID: core: fix shift-out-of-bounds in hid_report_raw_event
  HID: uclogic: Add HID_QUIRK_HIDINPUT_FORCE quirk
  HID: fix I2C_HID not selected when I2C_HID_OF_ELAN is
  HID: hid-lg4ff: Add check for empty lbuf
  HID: ite: Enable QUIRK_TOUCHPAD_ON_OFF_REPORT on Acer Aspire Switch V 10
  HID: uclogic: Fix frame templates for big endian architectures
2022-12-08 12:37:42 -08:00
Linus Torvalds f3e8416619 ARM: SoC fixes for 6.1, part 5
One last build fix came in, addressing a link failure when
 building without CONFIG_OUTER_CACHE
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEo6/YBQwIrVS28WGKmmx57+YAGNkFAmOR5EQACgkQmmx57+YA
 GNnJXhAAjdEuH4YNKdGSDG7psY/6zkwAdG3/4BtMRzYaAFI0o2JuDmNScJY9CgbK
 BrWmdFArdKPGn1cPh1YHTfKHQR8QS3UbNHr/ykqWE8zhJzpti2DjHqg2bDWXtg8v
 M9dla+Da1Y/7mIRUyj4Mfi6WMp7k2Tu9cQ09tyIKXOmeS79mSARrRq3H1U3YzAfe
 /Ou/i3TzhzHXAg5NOlYaNNXeKsPPhONhPvylLd7pyOl2z508IPqELfZI/nLN7lA7
 M/FtL9rlBnwPjNiMTICUu11tcVSEWpz+wrXUoYZqsurBuz9oFrxZlMLaSpeGAOWi
 XyQF5ibMWAP7l8nWrQRoToTizMuJ0P7N1ji734iLmXd1LsO2O7bUXbu31eBT6vMw
 rsMJjQCg2TCKXGsdr32J+6+MbZZIUs4/lenYV3P+duh/Q+jbnIOJrPlZ5GCjkxGS
 CcH/xve91vNk6sz3z/WrQ88tFwhXeahjHqmQjvAcGnKDczt1BUxl8b3zSLc0T2F5
 B4Y6n3i9ovX0+ugSyGk/eIhGyZ1oKlX+Ev7N7TEwexcevjP7ITDXB/pvPWE89I0W
 3bT+jFzuTbBjEs8WXqr9PJ0MzKLHQueU0karUMOTsnh+6FDDb18OoeWre9ao8HvB
 tQXL+JCr4bDCuKHlgj87gzMXtx2LQ00iseZb5e8dmmc8ZLw7ruU=
 =5lcR
 -----END PGP SIGNATURE-----

Merge tag 'soc-fixes-6.1-5' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

Pull ARM SoC fix from Arnd Bergmann:
 "One last build fix came in, addressing a link failure when building
  without CONFIG_OUTER_CACHE"

* tag 'soc-fixes-6.1-5' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
  ARM: at91: fix build for SAMA5D3 w/o L2 cache
2022-12-08 11:22:27 -08:00
Benjamin Tissoires a9d9e46c75 Revert "HID: logitech-hidpp: Enable HID++ for all the Logitech Bluetooth devices"
This reverts commit 532223c8ac.

As reported in [0], hid-logitech-hidpp now binds on all bluetooth mice,
but there are corner cases where hid-logitech-hidpp just gives up on
the mouse. This leads the end user with a dead mouse.

Given that we are at -rc8, we are definitively too late to find a proper
fix. We already identified 2 issues less than 24 hours after the bug
report. One in that ->match() was never designed to be used anywhere else
than in hid-generic, and the other that hid-logitech-hidpp has corner
cases where it gives up on devices it is not supposed to.

So we have no choice but postpone this patch to the next kernel release.

[0] https://lore.kernel.org/linux-input/CAJZ5v0g-_o4AqMgNwihCb0jrwrcJZfRrX=jv8aH54WNKO7QB8A@mail.gmail.com/

Reported-by: Rafael J . Wysocki <rjw@rjwysocki.net>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2022-12-08 20:18:11 +01:00
Benjamin Tissoires 40f2432b53 Revert "HID: logitech-hidpp: Remove special-casing of Bluetooth devices"
This reverts commit 8544c812e4.

We need to revert commit 532223c8ac ("HID: logitech-hidpp: Enable HID++
for all the Logitech Bluetooth devices") because that commit might make
hid-logitech-hidpp bind on mice that are not well enough supported by
hid-logitech-hidpp, and the end result is that the probe of those mice
is now returning -ENODEV, leaving the end user with a dead mouse.

Given that commit 8544c812e4 ("HID: logitech-hidpp: Remove special-casing
of Bluetooth devices") is a direct dependency of 532223c8ac, revert it
too.

Note that this also adapt according to commit 908d325e16 ("HID:
logitech-hidpp: Detect hi-res scrolling support") to re-add support of
the devices that were removed from that commit too.

I have locally an MX Master and I tested this device with that revert,
ensuring we still have high-res scrolling.

Reported-by: Rafael J . Wysocki <rjw@rjwysocki.net>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2022-12-08 20:18:11 +01:00
Linus Torvalds 7f043b7662 LoongArch fixes for v6.1-final
-----BEGIN PGP SIGNATURE-----
 
 iQJKBAABCAA0FiEEzOlt8mkP+tbeiYy5AoYrw/LiJnoFAmOR3UcWHGNoZW5odWFj
 YWlAa2VybmVsLm9yZwAKCRAChivD8uImesDED/90fKvraGLbwAzS/nV131JyrJO9
 BQ96cSbD9fzsy9Iq+sO9tutyPPCR3thJpJ2gnaCHlo9pn1mjQVEzX39izSkaOJ0G
 0OWeBXa429RMbNERMgxc62aZd21LNKGrrAaW9+1pnZebQ0ELvx55+PnoQNKbxlhR
 EoyjBtSZ9Hb+FV1f6yroAtAWfBw5X2GYYfSr2yjnxY2py6zLKEzTsEOzzU6rPbso
 e0457hFPB5mudAsdTjB2Icjays9BUaJffhp/eLDleky8P0ERJLfldYhnxnKqTE3q
 hZOeHZH3O9rbNUnktlgj/J8VTrrb7yYHaZMQGOzTaXBrvjj9q0k5kSMNKWdoRq37
 ZfnXwMtEGmgXf/htx/wY9sM7FCqV7QY5ubU5SkfU2ygNOdsWQFHmgl6QNtuvx4ii
 GvkHzYpymNdvlD1ZbqFPq7eABBriGs3tefUHPQ8/FoaiMudlAgZKjSuDYIUcy3nK
 3d5abAjCmxMybLGc9bI3T3BPFPGrpUlme/WdKZvvQJ3azia5F0sn2JMa7STVg3FF
 hLFvbS5RKP7dD7uP4CHbnCe5OD7aFBHmar5MYiJY4WrBIKiMQv+URtGKg9g+PDv1
 rFiiEfMfRWe2tVPuyZ5XnkQJxJp4otgaWdRNdQUDmo5uPE85H0hHw1bHw3eEtAK/
 f133+V+/kxamE1F6jg==
 =2sT6
 -----END PGP SIGNATURE-----

Merge tag 'loongarch-fixes-6.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson

Pull LoongArch fixes from Huacai Chen:
 "Export smp_send_reschedule() for modules use, fix a huge page entry
  update issue, and add documents for booting description"

* tag 'loongarch-fixes-6.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson:
  docs/zh_CN: Add LoongArch booting description's translation
  docs/LoongArch: Add booting description
  LoongArch: mm: Fix huge page entry update for virtual machine
  LoongArch: Export symbol for function smp_send_reschedule()
2022-12-08 11:16:15 -08:00
Linus Torvalds a4c3a07e5b xen: branch for v6.1-rc9b
-----BEGIN PGP SIGNATURE-----
 
 iHUEABYIAB0WIQRTLbB6QfY48x44uB6AXGG7T9hjvgUCY5GCdwAKCRCAXGG7T9hj
 vsFlAQD4Nn5w0MRewBvRRPp81Wbjhm6mnckOCRPATud6yyrUVgEApZJp+BRNoW1x
 kTVkkOb1x8XxJg1gzM7p5i2WSoCsRQo=
 =NnbR
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-xsa-6.1-rc9b-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip

Pull xen fix from Juergen Gross:
 "A single fix for the recent security issue XSA-423"

* tag 'for-linus-xsa-6.1-rc9b-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
  xen/netback: fix build warning
2022-12-08 11:11:06 -08:00
Linus Torvalds 306ba2402d gpio fixes for v6.1
- fix a memory leak in gpiolib core
 - fix reference leaks in gpio-amd8111 and gpio-rockchip
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEFp3rbAvDxGAT0sefEacuoBRx13IFAmOSLrsACgkQEacuoBRx
 13K4Ag/+PE+Oa+EPa5H2+gShdaXgQPHWSly/tWxtbYvaru8UDpM6UpqSQ/gHx2ZT
 ALgSRq0qMDeaJcZzrPEvi1bBSEgi5Jaq4jQAS51w7lLVCElDoNhptwMx03YUTZfs
 sc6ETyVr4MEyblXmcucHu6Mh97yRoUWYndZes+vpAueEIV9VxDJkrLUzh5ETf1Q2
 EJ6NXVOUXiTVHyuynFrMbLzXxpCX6TJC+ez1vLz+PaiLQJ3aWkECPm5ZNY/6fSIu
 NA+ywrYXaq8wlamggbyfyWjIwZNRj7SDmC+YKyLfXiUtiPRCoClGzw2txTv9Umoi
 IzmKFOnddepwPUcHEVLYkAmMeSYbIG6K3LQL5eg5FFqi27mExPxs22Z38gouyA9x
 ok0ozoplzFZBm31oclsWTbkhBCQTpYm63fGFe1KMoEXmRjAJDhg7siktmlrMUQJp
 3ClVTlaLP/AOXlv5Fb0buw6vAqBU4kJxKOIFTxTGDqNkmusLEs4N33i0ZIFMLevd
 FqHCxOXePVuZqBJtsUNOzmlpYpJiFc+qJ09yH1xmHqABNdkoWU8MTehgsLFB5VY2
 if1qB+O090XAjRFZmjsrx0vLToUUTZMPO5mbpae5yJhQ8VBZURL12Jk+fI5hBJVI
 JCScXi6LkPO0eNG82hmmpa7xxHNfqabwF1EMTuRDLSJWMfn7Xic=
 =oBrd
 -----END PGP SIGNATURE-----

Merge tag 'gpio-fixes-for-v6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux

Pull gpio fixes from Bartosz Golaszewski:

 - fix a memory leak in gpiolib core

 - fix reference leaks in gpio-amd8111 and gpio-rockchip

* tag 'gpio-fixes-for-v6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
  gpio/rockchip: fix refcount leak in rockchip_gpiolib_register()
  gpio: amd8111: Fix PCI device reference count leak
  gpiolib: fix memory leak in gpiochip_setup_dev()
2022-12-08 11:00:42 -08:00
Linus Torvalds 57fb3f66a3 ATA fixes for 6.1-rc8
A single fix for this final PR for 6.1-rc:
 
   - Avoid a NULL pointer dereference in the libahci platform code that
     can happen on initialization when a device tree does not specify
     names for the adapter clocks (from Anders).
 -----BEGIN PGP SIGNATURE-----
 
 iHUEABYKAB0WIQSRPv8tYSvhwAzJdzjdoc3SxdoYdgUCY5FONgAKCRDdoc3SxdoY
 dsBSAP9aOBlpbZxMA1SU7Ig9JZDv22W+0D747wuMDHoLzOdlHQD8CGsarHIFsfU5
 H5xOjTVfkSra5sfMUIpqk31R77ETDwg=
 =jjPB
 -----END PGP SIGNATURE-----

Merge tag 'ata-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata

Pull ATA fix from Damien Le Moal:

 - Avoid a NULL pointer dereference in the libahci platform code that
   can happen on initialization when a device tree does not specify
   names for the adapter clocks (from Anders)

* tag 'ata-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata:
  ata: libahci_platform: ahci_platform_find_clk: oops, NULL pointer
2022-12-08 10:46:52 -08:00
Tejun Heo fbf8321238 memcg: Fix possible use-after-free in memcg_write_event_control()
memcg_write_event_control() accesses the dentry->d_name of the specified
control fd to route the write call.  As a cgroup interface file can't be
renamed, it's safe to access d_name as long as the specified file is a
regular cgroup file.  Also, as these cgroup interface files can't be
removed before the directory, it's safe to access the parent too.

Prior to 347c4a8747 ("memcg: remove cgroup_event->cft"), there was a
call to __file_cft() which verified that the specified file is a regular
cgroupfs file before further accesses.  The cftype pointer returned from
__file_cft() was no longer necessary and the commit inadvertently
dropped the file type check with it allowing any file to slip through.
With the invarients broken, the d_name and parent accesses can now race
against renames and removals of arbitrary files and cause
use-after-free's.

Fix the bug by resurrecting the file type check in __file_cft().  Now
that cgroupfs is implemented through kernfs, checking the file
operations needs to go through a layer of indirection.  Instead, let's
check the superblock and dentry type.

Signed-off-by: Tejun Heo <tj@kernel.org>
Fixes: 347c4a8747 ("memcg: remove cgroup_event->cft")
Cc: stable@kernel.org # v3.14+
Reported-by: Jann Horn <jannh@google.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Acked-by: Roman Gushchin <roman.gushchin@linux.dev>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2022-12-08 10:40:58 -08:00
Radu Nicolae Pirea (OSS) f8bac7f9fd net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing()
The SJA1105 family has 45 L2 policing table entries
(SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110
(SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but
accounting for the difference in port count (5 in SJA1105 vs 10 in
SJA1110) does not fully explain the difference. Rather, the SJA1110 also
has L2 ingress policers for multicast traffic. If a packet is classified
as multicast, it will be processed by the policer index 99 + SRCPORT.

The sja1105_init_l2_policing() function initializes all L2 policers such
that they don't interfere with normal packet reception by default. To have
a common code between SJA1105 and SJA1110, the index of the multicast
policer for the port is calculated because it's an index that is out of
bounds for SJA1105 but in bounds for SJA1110, and a bounds check is
performed.

The code fails to do the proper thing when determining what to do with the
multicast policer of port 0 on SJA1105 (ds->num_ports = 5). The "mcast"
index will be equal to 45, which is also equal to
table->ops->max_entry_count (SJA1105_MAX_L2_POLICING_COUNT). So it passes
through the check. But at the same time, SJA1105 doesn't have multicast
policers. So the code programs the SHARINDX field of an out-of-bounds
element in the L2 Policing table of the static config.

The comparison between index 45 and 45 entries should have determined the
code to not access this policer index on SJA1105, since its memory wasn't
even allocated.

With enough bad luck, the out-of-bounds write could even overwrite other
valid kernel data, but in this case, the issue was detected using KASAN.

Kernel log:

sja1105 spi5.0: Probed switch chip: SJA1105Q
==================================================================
BUG: KASAN: slab-out-of-bounds in sja1105_setup+0x1cbc/0x2340
Write of size 8 at addr ffffff880bd57708 by task kworker/u8:0/8
...
Workqueue: events_unbound deferred_probe_work_func
Call trace:
...
sja1105_setup+0x1cbc/0x2340
dsa_register_switch+0x1284/0x18d0
sja1105_probe+0x748/0x840
...
Allocated by task 8:
...
sja1105_setup+0x1bcc/0x2340
dsa_register_switch+0x1284/0x18d0
sja1105_probe+0x748/0x840
...

Fixes: 38fbe91f22 ("net: dsa: sja1105: configure the multicast policers, if present")
CC: stable@vger.kernel.org # 5.15+
Signed-off-by: Radu Nicolae Pirea (OSS) <radu-nicolae.pirea@oss.nxp.com>
Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
Link: https://lore.kernel.org/r/20221207132347.38698-1-radu-nicolae.pirea@oss.nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2022-12-08 09:38:31 -08:00
Alexandra Winter ebaaadc332 s390/qeth: fix use-after-free in hsci
KASAN found that addr was dereferenced after br2dev_event_work was freed.

==================================================================
BUG: KASAN: use-after-free in qeth_l2_br2dev_worker+0x5ba/0x6b0
Read of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540
CPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G            E      6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1
Hardware name: IBM 8561 T01 703 (LPAR)
Workqueue: 0.0.8000_event qeth_l2_br2dev_worker
Call Trace:
 [<000000016944d4ce>] dump_stack_lvl+0xc6/0xf8
 [<000000016942cd9c>] print_address_description.constprop.0+0x34/0x2a0
 [<000000016942d118>] print_report+0x110/0x1f8
 [<0000000167a7bd04>] kasan_report+0xfc/0x128
 [<000000016938d79a>] qeth_l2_br2dev_worker+0x5ba/0x6b0
 [<00000001673edd1e>] process_one_work+0x76e/0x1128
 [<00000001673ee85c>] worker_thread+0x184/0x1098
 [<000000016740718a>] kthread+0x26a/0x310
 [<00000001672c606a>] __ret_from_fork+0x8a/0xe8
 [<00000001694711da>] ret_from_fork+0xa/0x40
Allocated by task 108338:
 kasan_save_stack+0x40/0x68
 kasan_set_track+0x36/0x48
 __kasan_kmalloc+0xa0/0xc0
 qeth_l2_switchdev_event+0x25a/0x738
 atomic_notifier_call_chain+0x9c/0xf8
 br_switchdev_fdb_notify+0xf4/0x110
 fdb_notify+0x122/0x180
 fdb_add_entry.constprop.0.isra.0+0x312/0x558
 br_fdb_add+0x59e/0x858
 rtnl_fdb_add+0x58a/0x928
 rtnetlink_rcv_msg+0x5f8/0x8d8
 netlink_rcv_skb+0x1f2/0x408
 netlink_unicast+0x570/0x790
 netlink_sendmsg+0x752/0xbe0
 sock_sendmsg+0xca/0x110
 ____sys_sendmsg+0x510/0x6a8
 ___sys_sendmsg+0x12a/0x180
 __sys_sendmsg+0xe6/0x168
 __do_sys_socketcall+0x3c8/0x468
 do_syscall+0x22c/0x328
 __do_syscall+0x94/0xf0
 system_call+0x82/0xb0
Freed by task 540:
 kasan_save_stack+0x40/0x68
 kasan_set_track+0x36/0x48
 kasan_save_free_info+0x4c/0x68
 ____kasan_slab_free+0x14e/0x1a8
 __kasan_slab_free+0x24/0x30
 __kmem_cache_free+0x168/0x338
 qeth_l2_br2dev_worker+0x154/0x6b0
 process_one_work+0x76e/0x1128
 worker_thread+0x184/0x1098
 kthread+0x26a/0x310
 __ret_from_fork+0x8a/0xe8
 ret_from_fork+0xa/0x40
Last potentially related work creation:
 kasan_save_stack+0x40/0x68
 __kasan_record_aux_stack+0xbe/0xd0
 insert_work+0x56/0x2e8
 __queue_work+0x4ce/0xd10
 queue_work_on+0xf4/0x100
 qeth_l2_switchdev_event+0x520/0x738
 atomic_notifier_call_chain+0x9c/0xf8
 br_switchdev_fdb_notify+0xf4/0x110
 fdb_notify+0x122/0x180
 fdb_add_entry.constprop.0.isra.0+0x312/0x558
 br_fdb_add+0x59e/0x858
 rtnl_fdb_add+0x58a/0x928
 rtnetlink_rcv_msg+0x5f8/0x8d8
 netlink_rcv_skb+0x1f2/0x408
 netlink_unicast+0x570/0x790
 netlink_sendmsg+0x752/0xbe0
 sock_sendmsg+0xca/0x110
 ____sys_sendmsg+0x510/0x6a8
 ___sys_sendmsg+0x12a/0x180
 __sys_sendmsg+0xe6/0x168
 __do_sys_socketcall+0x3c8/0x468
 do_syscall+0x22c/0x328
 __do_syscall+0x94/0xf0
 system_call+0x82/0xb0
Second to last potentially related work creation:
 kasan_save_stack+0x40/0x68
 __kasan_record_aux_stack+0xbe/0xd0
 kvfree_call_rcu+0xb2/0x760
 kernfs_unlink_open_file+0x348/0x430
 kernfs_fop_release+0xc2/0x320
 __fput+0x1ae/0x768
 task_work_run+0x1bc/0x298
 exit_to_user_mode_prepare+0x1a0/0x1a8
 __do_syscall+0x94/0xf0
 system_call+0x82/0xb0
The buggy address belongs to the object at 00000000fdcea400
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 64 bytes inside of
 96-byte region [00000000fdcea400, 00000000fdcea460)
The buggy address belongs to the physical page:
page:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea
flags: 0x3ffff00000000200(slab|node=0|zone=1|lastcpupid=0x1ffff)
raw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00
raw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
 00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 00000000fdcea380: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
>00000000fdcea400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                                           ^
 00000000fdcea480: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 00000000fdcea500: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
==================================================================

Fixes: f7936b7b26 ("s390/qeth: Update MACs of LEARNING_SYNC device")
Reported-by: Thorsten Winkler <twinkler@linux.ibm.com>
Signed-off-by: Alexandra Winter <wintera@linux.ibm.com>
Reviewed-by: Wenjia Zhang <wenjia@linux.ibm.com>
Reviewed-by: Thorsten Winkler <twinkler@linux.ibm.com>
Link: https://lore.kernel.org/r/20221207105304.20494-1-wintera@linux.ibm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2022-12-08 09:12:56 -08:00